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Abstract 

Trust  management  is  a  scalable  form  of  access  control  that  relies  heavily  on  delegation.  Different 
parts  of  the  policy  are  under  the  control  of  different  principals  in  the  system.  While  these  two  character¬ 
istics  may  be  necessary  in  large  or  decentralized  systems,  they  make  it  difficult  to  anticipate  how  policy 
changes  made  by  others  will  affect  whether  ones  own  security  objectives  are  met  and  will  continue  to 
be  met  in  the  future.  Automated  analysis  tools  are  needed  for  assessing  this  question.  The  article  devel¬ 
ops  techniques  that  support  the  development  of  tools  that  nevertheless  are  able  to  solve  many  analysis 
problem  instances.  When  an  access  control  policy  fails  to  satisfy  desired  security  objectives,  the  tools 
provide  information  about  how  and  why  the  failure  occurs.  Such  information  can  assist  policy  authors 
design  appropriate  policies.  The  approach  to  performing  the  analyses  is  based  on  model  checking.  To 
assist  in  making  the  approach  effective,  a  collection  of  reduction  techniques  is  introduced.  We  prove  the 
correctness  of  these  reductions  and  empirically  evaluate  their  effectiveness.  While  the  class  of  analysis 
problem  instances  we  examine  is  generally  intractable,  we  find  that  our  reduction  techniques  are  often 
able  to  reduce  some  problem  instances  into  a  form  that  can  be  automatically  verified. 


1  Introduction 

Correctly  configuring  authorization  systems  is  difficult.  Effectively  and  appropriately  controlling  who  has 
access  to  which  resources  has  serious  implications  for  the  interests  of  private  citizens,  corporations  and  other 
organizations,  including  national  governments.  If  the  authorization  state  were  static  and  never  needed  to  be 
changed,  the  problem  would  be  less  difficult.  Unfortunately,  it  is  necessary  to  maintain  high-level  security 
objectives  while  the  authorization  state  is  changing.  In  one  of  the  classical  results  [14]  in  computer  security, 
Harrison,  Ruzzo,  and  Ullman  showed  in  1976  that  a  relatively  simple,  highly  desirable  security  analysis 
problem  is  undecidable. 

The  problem  they  studied  is  called  safety.  The  problem  instance  is  given  by  the  following.  An  initial 
authorization  state  is  specified.  In  the  model  they  use,  the  authorization  state  is  given  by  an  access  control 
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matrix  having  rows  and  columns  for  subjects  and  objects,  respectively,  and  a  set  of  rights  that  the  subject 
has  on  the  object  in  the  corresponding  cell.  State  transitions  occur  as  the  result  of  executing  administrative 
commands.  A  set  of  commands  is  given  by  the  problem  instance.  These  commands  have  the  following 
form:  they  take  parameters  (subjects  and  objects);  they  test  whether  command-specified  rights  arc  elements 
of  command-specified  matrix  cells;  if  the  specified  cells  contain  the  specified  rights,  a  sequence  of  primitive 
operations  is  executed.  Primitive  operations  can  add  and  remove  subjects  (rows)  and  objects  (columns) 
and  they  can  add  or  remove  rights  from  cells.  The  assumption  is  that  all  possible  command  sequences  arc 
possible.  Finally,  the  problem  instance  includes  a  specified  subject,  a  specified  object,  and  a  specified  right. 
The  problem  question  asks  whether  there  is  a  transition  sequence  starting  from  the  initial  matrix  that  makes 
the  cell  determined  by  the  given  subject  and  the  given  object  contain  the  given  right. 

Clearly  this  is  an  important  question  to  be  able  to  answer;  an  important  security  objective  is  likely  to  be 
that  the  specified  subject  never  receive  the  specified  right  on  the  specified  subject. 

In  the  years  following  this  troubling  undecidability  result,  enormous  effort  was  devoted  to  finding  au¬ 
thorization  models  that  provide  adequate  expressive  power  while  admitting  efficient  decision  procedures  for 
the  version  of  the  safety  problem  that  can  be  specified  within  the  model.  (Representatives  of  models  that 
succeeded  in  this  goal  include  the  Take-Grant  model  of  Lipton  and  Snyder  [24],  and  the  TAM  model  by 
Sandhu  [31].)  In  the  end,  few  of  these  models  received  wide  acceptance,  being  viewed  as  too  hard  to  use 
in  practice,  and  the  goal  of  designing  authorization  systems  that  support  efficient  safety  analysis  was  sup¬ 
planted  by  other  goals,  such  as  usability,  flexibility,  and  scalability.  Interestingly,  authorization  systems  that 
have  been  proposed  relatively  recently  turn  out  to  allow  (the  corresponding  version  of)  the  classical  safety 
problem  to  be  solved  efficiently.  In  particular,  this  is  true  of  the  authorization  system  we  study  here1. 

Classical  access  control  systems  ( e.g .,  Bell-LaPadula  [5],  Role -based  Access  Control  [32],  and  Domain 
and  Type  Enforcement  [2])  were  designed  for  monolithic  information  and  control  systems  used  by  organi¬ 
zations  having  rather  static  structure  by  today’s  standards.  They  tend  to  centralize  administrative  authority 
and  to  limit  their  expressive  power  to  characterizing  the  relationship  a  principal  has  to  a  single,  implicity 
authority,  which  makes  them  best  suited  for  use  within  a  single  organization,  making  their  application  to 
inter-organizational  partnerships  cumbersome.  They  also  do  not  easily  accommodate  rapid  reorganization 
and  its  accompanying  needs  for  policy  flexibility. 

One  approach  to  achieving  scalability  and  flexibility  is  called  Trust  Management  [6].  Trust  management 
supports  decentralization  of  authority  by  enabling  interested  parties  to  define  authorization  policy  without 
the  intervention  of  a  security  officer  or  a  handful  of  security-system  administrators.  Another  approach 
that  has  become  very  popular  over  the  last  10  or  15  years,  is  Role-Based  Access  Control  (RBAC)  [32], 
which  assigns  users  to  roles  based  on  their  organizational  and  functional  roles,  and  assigns  permissions  to 
obtain  access  to  roles,  rather  than  directly  to  individual  users.  This  approach  is  viewed  as  greatly  enhancing 
manageability,  although  like  many  other  security  systems,  it  tends  to  focus  on  the  relationship  between  a 
principal  and  a  single  organization. 

A  relatively  recent  contribution  that  blends  strengths  from  both  these  approaches  is  Role-based  Trust 
management  ( RT ).  RT  provides  a  family  of  authorization  policy  languages.  The  framework  provides 
a  collection  of  language  features,  each  providing  a  distinct  expressive  power,  and  the  various  languages 
arc  obtained  by  combining  the  various  features.  (See  for  instance  [15,  19,  20,  25].)  From  RBAC,  RT 
borrows  the  ability  to  characterize  principals  much  more  generally  than  in  terms  of  the  resources  to  which 
they  should  have  access.  From  trust  management,  it  borrows  features  that  support  decentralization  through 
delegation  of  authority  by  stakeholders  such  as  resource  owners  to  knowledgeable  parties  that  may  have 
greater  familiarity  or  expertise  with  respect  to  characterizing  would-be  resource  users.  This  facilitates  both 

1  We  go  on  to  study  the  evaluation  of  much  more  expressive  policy  analyses,  which  are  decidable,  but  generally  intractable. 
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scalability  and  flexibility.  Each  role  has  an  associated  owner  that  controls  which  principals  arc  added  to  the 
role.  By  choosing  to  add  the  members  of  roles  owned  by  other  principals,  the  owner  delegates  authority  to 
those  other  roles’  owners,  who  in  turn  have  sole  control  over  the  principals  added  to  the  roles  they  own. 

The  simplest  member  of  the  RT  family  is  RT$.  Li  el  al.  [21]  have  shown  that  many  security  prop¬ 
erties,  including  the  classical  safety  property,  can  be  decided  for  RTq  in  polynomial  time.  However,  the 
most  expressive  and  most  useful  properties,  which  require  role-containment  analysis  [21],  are  EXPTIME- 
complete  [36].  Among  these  properties  arc  notions  of  availability,  mutual  exclusion,  and  a  generalization 
of  the  safety  problem.  Consider  the  following  example  of  the  generalized  form  of  safety:  Assuming  certain 
parts  of  the  policy  do  not  change,  it  will  always  be  the  case  that  only  employees  can  access  the  confidential 
database,  no  matter  what  changes  are  made  in  the  rest  of  the  policy.  Rather  than  asking  whether  a  partic¬ 
ular  principal  could  gain  access,  as  is  done  by  the  classical  safety  problem,  it  asks  whether  a  whole  class 
of  principals — those  that  arc  not  employees — could  gain  access.  The  importance  of  gaining  assurance  that 
such  security  objectives  will  continue  to  be  met  as  the  policy  evolves  is  clear. 

The  fact  that  role-containment  analysis  is  EXPTIME-complete  indicates  that  many  problem  instances 
will  remain  forever  out  of  reach.  However,  this  does  not  preclude  the  possibility  that  analysis  techniques 
could  be  developed  that  would  be  useful  in  many  cases  of  interest.  Thus,  it  is  natural  to  wish  to  determine 
the  limits  of  such  analyses  when  applied  to  realistic  policies.  This  article  seeks  to  do  just  that.  In  particular, 
it  assesses  the  extent  to  which  containment  queries  can  be  analyzed  by  using  currently  available  model¬ 
checking  technology.  When  using  this  approach,  one  transforms  a  given  security-analysis  problem  instance 
into  a  model  checking  problem  instance.  Model  checking  [7,  8]  offers  general-purpose  verification  tools 
that  are  fully  automated.  In  essence,  they  check  whether  all  runs  of  a  given  finite  state  machine  satisfy  some 
property.  When  a  run  is  discovered  that  does  not  satisfy  the  property,  it  is  reported  as  a  counterexample.  The 
tool  we  use  is  also  highly  optimized  for  exploring  large  search  spaces  (which  typically  grow  exponentially 
in  the  size  of  the  input).  One  technique  that  is  often  used  in  conjunction  with  model  checking  is  called 
reduction.  Reduction  converts  one  problem  instance  to  another  that  is  designed  to  be  less  expensive  to  solve. 

A  security-analysis  problem  instance  tt  =  (TT  72.  Q)  is  given  by  an  RT  policy  V,  a  structure  7 2  called 
a  restriction  rule,  and  a  query  Q.  A  policy  V  is  a  set  of  statements  that  assign  principals  to  roles.  These 
statements  compose  the  definition  of  the  role  and  each  such  statement  is  said  to  define  the  role,  though  in 
general  it  actually  merely  contributes  to  the  definition.  The  semantics  of  a  policy  is  given  by  an  assignment 
to  each  role  of  a  set  of  principals  as  members  of  the  role2.  In  addition  to  being  a  candidate  for  membership 
in  roles,  each  principal  has  the  sole  right  to  create,  modify,  and  remove  statements  that  define  the  roles  she 
owns.  Thus,  the  administrative  model  is  very  simple.  When  such  a  statement  adds  (the  members  of)  a  role 
owned  by  another  principal,  the  principal  authoring  that  statement  does  not  control  the  statements  that  define 
that  other  role.  In  this  sense,  the  statement  author  is  delegating  authority  to  assist  in  defining  the  membership 
of  her  own  role.  (It  can  be  assumed  that  membership  in  certain  roles  controls  access  to  various  resources, 
however  this  association  of  roles  to  resources  is  not  established  by  the  RT  policy  itself.)  We  call  a  given 
policy  an  authorization  state ,  a  policy  state,  or  simply  a  state.  A  state  transition  occurs  when  a  principal 
creates,  modifies,  or  removes  a  statement  defining  one  of  her  roles. 

In  the  absence  of  any  assumptions  about  which  roles  arc  changed,  any  given  state  is  reachable  from  any 
other  state.  Loosely  speaking,  a  restriction  rule  72  identifies  roles  defined  by  statements  that  arc  assumed  for 
the  purpose  of  the  analysis  not  to  change.  (This  notion  is  made  precise  in  the  next  section.)  In  this  manner, 
the  restriction  rule  states  assumptions  about  which  state  transitions  can  be  taken,  and  therefore  which  states 
arc  reachable  under  72  from  the  initial  state  V . 

2Note  that  many  policies  may  induce  the  same  semantics. 
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A  query  Q  relates  the  membership  of  a  role  to  some  other  set.  While  simpler  queries  are  also  supported3, 
a  role  containment  query  asserts  that  the  membership  of  one  role  is  contained  (as  a  subset)  in  the  membership 
of  another  role  in  the  semantics  of  every  reachable  state.  Thus  a  query  may  or  may  not  be  satisfied  by  V 
under  71.  In  the  example  problem  instance  mentioned  above,  the  query  asserts  that  in  all  reachable  states, 
the  principals  that  are  in  the  role  defining  who  can  gain  access  to  a  secret  database  are  all  members  of  the 
role  consisting  of  all  company  employees. 

The  question  paid  of  the  security-analysis  problem  asks  whether  the  assertion  given  by  the  query  holds 
in  (the  semantics  of)  each  state  reachable  from  V  under  71.  We  present  and  evaluate  empirically  several 
automated  reduction  techniques  that  diminish  the  computational  cost  of  analysis4.  These  techniques  operate 
at  two  levels.  Techniques  in  the  first  class  transform  a  security-analysis  problem  instance  into  one  or  more 
instances  of  the  same  problem  that  together  arc  equivalent  to  the  original,  but  that  arc  often  less  expensive  to 
decide.  These  techniques  can  be  used  with  any  method  of  deciding  analysis  problem  instances  because  they 
transform  one  problem  instance  into  one  or  more  instances  of  the  same  problem.  Techniques  in  the  second 
class  simplify  the  model-checking  problems  generated  by  our  problem  transformation.  As  such,  they  would 
not  be  applicable  with  all  security-analysis  methods.  We  present  three  reduction  techniques  in  the  first  class 
and  two  in  the  second  class. 

An  analysis  problem  evaluation  method  is  said  to  be  sound  if  whenever  it  replies  in  the  affirmative  (i.e., 
the  query  holds  in  all  reachable  states),  the  role-role  containment  does  in  fact  hold  in  every  reachable  state. 
The  method  is  said  to  be  complete  if  when  the  role-role  containment  does  in  fact  hold  in  every  reachable 
state,  the  evaluation  method  replies  in  the  affirmative.  All  of  the  reduction  techniques  mentioned  thus  far 
are  both  sound  and  complete. 

Evaluation  methods  that  are  sound,  but  incomplete  or  that  arc  complete,  but  not  sound  arc  called  semi- 
decision  procedures.  We  present  one  procedure  in  each  of  these  categories.  Because  they  require  less 
computational  effort,  we  arc  particularly  interested  in  semi-decision  procedures  that  require  the  exploration 
a  smaller  set  of  states  than  must  be  explored  by  our  sound  and  complete  evaluation  methods  (full  decision 
procedures).  The  semi-decision  procedures  that  we  present  have  this  property  and  hence  sometimes  termi¬ 
nate  successfully  when  our  full  decision  procedures  do  not.  However,  semi-decision  procedures  provide 
less  information  than  do  full  decision  procedures.  When  a  sound,  but  incomplete  semi-decision  procedure 
reports  that  the  query  holds,  we  know  the  query  is  actually  satisfied,  confirming  that  the  associated  secu¬ 
rity  objective  is  met,  as  desired.  However,  like  all  procedures  in  this  category,  in  some  cases  it  may  fail  to 
confirm  that  the  query  is  satisfied  when  in  fact  it  is.  On  the  other  hand,  a  semi-decision  procedure  that  is 
complete,  but  unsound  may  report  that  the  query  holds  when  in  fact  it  does  not.  The  utility  of  such  a  semi¬ 
decision  procedure  is  less  obvious  than  those  in  the  first;  it  is  that  when  a  complete  but  unsound  procedure 
reports  that  there  exists  a  state  that  falsifies  the  query,  this  is  in  fact  the  case.  Hence,  such  a  procedure  can 
be  useful  as  a  policy  “debugger.”  We  call  a  state  in  which  the  role -role  containment  actually  does  not  hold 
a  counterexample.  The  complete  but  unsound  procedure  we  present  has  the  property  that  counterexamples 
that  arc  found  arc  states  that  are  actually  reachable  in  the  original  analysis  problem  instance.  Because  the 
counterexample  that  is  discovered  is  reported  by  the  tool,  it  can  help  a  policy  author  to  understand  how  the 
part  of  the  policy  controlled  by  her  and  the  other  role  owners  that  she  trusts  is  vulnerable  to  having  security 
objectives  violated  through  policy  changes  made  to  parts  of  the  policy  that  arc  under  the  control  of  others. 

Recall  that  our  reduction  techniques  can  be  divided  into  (1)  those  that  can  be  applied  with  any  evaluation 

3  A  simpler  form  of  query  relates  the  set  of  members  of  a  given  role  to  a  constant  set,  specified  explicitly  in  the  query,  that  does 
not  depend  on  the  policy  state  under  consideration. 

4An  important  observation  that  we  make  use  of  extensively  in  our  reductions  is  that  it  is  not  essential  to  explore  all  reachable 
policy  states  in  order  to  answer  the  security-analysis  question — it  is  sufficient  to  explore  a  set  of  policy  states  that  can  be  shown  to 
induce  exactly  the  set  of  role  membership  assignments  (semantics)  that  are  induced  by  the  reachable  policy  states. 
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technology  and  (2)  those  that  arc  specific  to  the  model-checking  approach.  Among  the  two  semi-decision 
techniques,  we  have  one  in  each  of  these  two  classes.  The  sound,  but  incomplete  one  can  be  applied  with 
any  evaluation  technology.  It  replaces  the  restriction  rule  with  one  that  is  less  restrictive.  The  procedure  that 
is  complete,  but  unsound  is  specific  to  the  model-checking  approach. 

Contributions 

1.  We  design  and  prove  correctness  of: 

(a)  Three  reduction  techniques  that  often  reduce  the  computational  effort  required  to  perform  role 
containment  analysis.  These  techniques  can  be  applied  with  any  evaluation  technology;  they 
produce  one  or  more  potentially  much  less  costly  instances  of  the  same  policy-analysis  problem 
that  arc  all  satisfied  if  and  only  if  the  original  problem  instance  is  satisfied. 

(b)  Techniques  for  transforming  security  analysis  problem  instances  into  model  checking  problem 
instances. 

(c)  Two  reduction  techniques  that  arc  specific  to  our  model-checking  approach  and  that  often  sub¬ 
stantially  reduce  the  size  of  the  model-state  space  to  be  explored. 

(d)  Two  semi-decision  procedures  for  policy  analysis.  Again,  these  often  dramatically  reduce  the 
size  of  either  the  policy-state  space  or  the  model-state  space  that  must  be  considered.  One 
of  these  semi-decision  procedures  is  sound,  but  incomplete  and  transforms  one  policy-analysis 
problem  instance  into  another.  The  other  is  complete,  but  not  sound  and  transforms  one  model¬ 
checking  problem  instance  into  another.  By  using  each  of  these  techniques,  one  can  identify 
many  role  containments  that  definitely  arc  satisfied  or  definitely  arc  not.  Both  techniques  allow 
the  user  to  adjust  the  values  of  certain  parameters  in  a  way  that  yields  a  trade  off  between 
precision  and  cost. 

2.  We  implement  a  tool  suite  called  RT-SPACE  for  performing  role  containment  analysis  that  imple¬ 
ments  the  designs  listed  above.  The  translation  tool  takes  a  role  containment  problem  instance  and 
generates  a  model  for  input  to  the  Cadence  SMV  model  checker  [1,  27].  The  model  checker  provides 
a  counterexample  when  the  problem  instance  is  not  satisfied.  This  facilitates  policy  “debugging.” 
The  suite  provides  an  integrated  environment  in  which  to  specify  and  visualize  RT  policies  and  role- 
containment  problem  instances,  as  well  as  to  evaluate  those  problem  instances  and  to  visualize  their 
results  ( e.g .,  counterexamples). 

3.  We  use  RT-SPACE  to  empirically  evaluate  the  performance  of  our  techniques  and  to  assess  the  results. 
To  our  knowledge,  RT  policies  used  in  practice  are  not  available.  Therefore,  by  using  a  combination 
of  manual  and  automated  means,  we  generate  policies  for  analyzer  evaluation  that  arc  as  realistic  as 
possible.  Our  findings  from  this  assessment  include  the  identification  of  features  of  analysis  problem 
instances  that  have  a  large  effect  on  the  cost  of  performing  the  analysis. 

Preliminary  reports  of  this  investigation  have  appeared  previously  [28,  29].  Let  us  now  summarize  the 
material  that  has  not  previously  appeared  and  is  new  in  this  archival  article.  Some  reduction  techniques 
have  previously  been  specified  or  discussed  informally  [29].  1(a)  Among  the  three  analysis  problem-level 
reduction  techniques  that  we  present  in  the  new  submission,  only  one  has  be  previously  discussed  in  its 
current  form.  The  second  has  not  been  previously  discussed.  The  third  is  strictly  more  general  than  the 
combination  of  two  reduction  techniques  previously  reported  and  replaces  the  previous  two  in  the  new 
submission.  All  of  the  reduction  techniques  presented  here  arc  shown  to  be  sound  and  complete;  no  such 
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verification  has  previously  appeared.  1(b)  The  transformation  of  the  security  problem  into  a  model  checking 
problem  has  previously  been  discussed  informally,  but  has  not  been  precisely  specified  or  verified,  both 
of  which  it  is  in  the  new  article.  1(c)  The  reduction  techniques  that  work  at  the  model-checking  level  arc 
both  new  (as  arc  their  verifications).  1(d)  The  semi-decision  procedures  have  previously  been  discussed 
informally,  but  have  not  been  precisely  specified  or  verified.  2  The  previously  presented  [28]  tool  suite, 
RT-SPACE,  has  now  been  updated  to  include  implementations  of  the  new  reduction  techniques  listed  above. 
3  The  set  of  features  of  analysis  problem  instances  that  can  dramatically  influence  the  cost  of  policy  analysis 
is  new  in  this  article.  Guided  by  these  features,  the  new  submission  introduces  criteria  for  systematically 
generating  test  cases  and  evaluating  the  analysis  techniques. 

The  structure  of  this  paper  is  as  follows.  Section  2  describes  the  RT  language,  role  containment  analysis, 
and  prior  results  identifying  tractable  classes  of  analysis  problem  instances.  Section  3  describes  sound  and 
complete  reductions  that  facilitate  our  verification  techniques  successfully  terminating.  Section  4  presents 
the  construction  of  finite  state  machine  models  from  analysis  problem  instances,  which  enables  the  use 
of  model  checking  for  our  purposes,  as  described  in  section  5.  Section  6  discusses  two  semi-decision 
procedures,  which  significantly  reduce  the  size  of  the  search  space  that  must  be  explored  by  the  model 
checker.  Section  7  presents  the  implementation  of  the  policy  analysis  framework  RT-SPACE,  providing  us 
with  the  means  to  evaluate  our  techniques  in  section  8.  Section  9  compares  our  framework  with  related 
work,  and  we  conclude  in  Section  10. 

2  The  RT  Policy  Language 

RT  is  a  family  of  role-based  trust  management  languages  designed  to  support  highly  decentralized,  attribute- 
based  access  control  [20] .  It  enables  resource  providers  to  make  authorization  decisions  about  resource  re¬ 
questers  of  whom  they  have  no  prior  knowledge.  This  is  achieved  by  delegating  authority  for  characterizing 
principals  in  the  system  to  other  entities  that  arc  in  a  better  position  to  provide  the  characterization.  For 
instance,  to  grant  discounted  service  to  students,  an  electronic  bookstore  might  delegate  to  universities  the 
authority  to  identify  students  and  delegate  to  accrediting  hoards  the  authority  to  identify  universities. 

A  significant  problem  that  policy  authors  face  in  this  context  is  that  of  determining  the  extent  of  their 
exposure  through  delegation  to  principals  not  under  their  direct  control  or  which  they  arc  prepared  to  trust 
only  partially.  The  security  analysis  problem  in  this  context  consists  of  determining  whether  changes  made 
by  such  principals  could  cause  certain  policy  objectives  to  become  violated.  One  example  of  the  security 
analysis  problem  would  ask  whether  changes  made  by  principals  anyone  outside  the  electronic  publishing 
organization  could  cause  inappropriate  resource  requesters  to  receive  the  student  discount  or,  more  generally, 
gain  access  to  the  organization’s  sensitive  data.  This  security  analysis  problem  has  been  studied  by  Li  et 
al.  [21]  for  the  simplest  member  of  the  RT  family,  RTq.  While  it  must  be  emphasized  that  there  arc  many 
languages  in  the  RT  family,  as  we  focus  exclusively  on  RTq,  in  the  interest  of  brevity,  the  remainder  of  this 
article  uses  simply  RT  to  refer  to  RTo.  In  this  section,  we  summarize  RT  and  the  security  analysis  of  it. 

2.1  Overview  of  RT  Syntax  &  Semantics 

The  RT  language  provides  two  primary  constructs,  principals  and  roles.  A  principal  is  an  entity  such  as  a 
person  or  software  agent.  A  role  takes  the  form  A.r,  in  which  A  is  a  principal  and  r  is  a  role  name.  In  RTq, 
A  is  the  owner  of  A.r.  One  interpretation  of  the  role  A.r  is  that  the  principal  A  considers  the  members, 
which  are  also  principals,  to  have  an  attribute,  property,  or  characteristic  denoted  by  the  role  name.  In  an 
RT  policy,  A  can  add  principals  of  A’s  choosing  to  role  A.r,  which  A  does  by  issuing  policy  statements, 
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Type 

Syntax 

Description 

Type  I 

A.r  D 

Simple  Member 

Type  II 

A.r  4—  B.r\ 

Simple  Inclusion 

Type  III 

A.r  4—  B.r\.r2 

Linking  Inclusion 

Type  IV 

A.r  <—  B.ri  n  C.r2 

Intersection  Inclusion 

Figure  1:  RT  statements 


each  of  which  takes  one  of  the  four  forms  shown  by  Figure  1  [23] .  Each  policy  statement  defines  the  role 
on  the  left-hand  side  of  the  arrow  and  adds  principals  denoted  by  the  expression  the  the  right-hand  side. 
So  each  of  the  statements  shown  in  the  figure  define  the  role  A.r,  which  means  they  can  be  issued  only  by 
principal  A.  Thus,  the  administrative  model  is  very  simple:  A  and  only  A  can  issue  or  revoke  statements 
that  define  roles  owned  by  A.  Statements  arc  assumed  to  be  verifiable,  either  cryptographically,  or  by  some 
other  means  whereby  integrity  and  authenticity  can  be  ensured. 

Refering  to  Figure  1,  a  role  owner  A  can  add  a  specific  principal  D  by  issuing  a  type  1  statement.  For 
example,  by  issuing  Alice.friend  < —  Bob ,  Alice  identifies  Bob  as  being  one  of  her  friends.  By  issuing 
a  type  II  statement,  A  can  add  all  the  members  of  another  role,  B.r±,  as  members  of  A.r.  In  this  case, 
A  delegates  authority  to  B  to  assist  in  defining  A.r.  For  example,  by  issuing  the  statement  Alice.friend  3— 
Bob.friend ,  Alice  states  that  any  friend  of  Bob  is  also  a  friend  of  Alice.  So  if  Bob  issues  Bob.friend  < —  Dave, 
Dave  becomes  a  member  not  only  of  Bob.friend,  but  also  of  Alice.friend.  Here  Alice  delegates  authority  to 
a  specific  principal  (Bob)  by  name.  Type  III  statements  provide  a  mechanism  whereby  a  role  owner  A 
can  delegate  authority  to  all  members  of  a  given  role  B.r\.  For  example,  the  statement  Alice.friend  ■(— 
Bob.family.friend  says  that  any  friend  of  a  member  of  Bob’s  family  is  also  a  friend  of  Alice.  So  any  member 
of  Bob’s  family  can  contribute  to  the  membership  of  Alice.friend.  We  call  this  attribute-based  delegation 
because  Alice  delegates  authority  to  all  members  of  the  designated  role,  rather  than  to  a  specific  principal 
identified5.  Finally,  Type  IV  statements  support  intersection:  a  principal  must  be  a  member  of  two  given 
roles,  B.r\  and  C.r 2  in  order  to  be  added  to  A.r  according  to  a  statement  of  this  type.  For  example, 
Alice.friend  Bob.friend  n  Carl. friend  says  that  those  principals  who  are  friends  of  both  Bob  and  Carl  are 
introduced  into  the  set  of  Alice’s  friends.  Disjunction  (set  union)  is  provided  by  allowing  multiple  statements 
to  be  issued  defining  the  same  role.  Note  that  a  given  principal  must  appear  in  the  right-hand  side  of  some 
Type  I  statement  if  it  is  to  be  contained  in  any  role.  We  borrow  the  following  example  from  the  literature  to 
illustrate  RT  to  further  illustrate  the  use  of  the  first  three  types  of  credentials. 

Example  1  ([23])  Suppose  EPub  considers  students  of  all  universities  to  be  entitled  to  a  discount  on  its 
publications.  If  RT  did  not  support  attribute -based  delegation,  EPub  would  have  to  know  all  the  universities 
and  delegate  explicitly  to  each  of  them.  Using  attribute-based  delegation,  EPub  can  delegate  authority  over 
identifying  universities  to  another  entity,  e.g.,  a  fictitious  Accrediting  Board  for  Universities,  ABU. 

EPub.  discount  < —  EPub.  uni  versify,  student  (1) 

StateU.  student  < — RegistrarB. student  (3)  RegistrarB.  students — Alice  (4) 

EP  ub .  university  4 — ABU. accredited  (5)  ABU.  accredited  — StateU  (6) 

These  credentials  form  a  chain  from  Alice  to  EPub. discount,  consisting  of  three  parts. 

5Li  et  at.  [23]  restrict  Type  III  credentials  to  have  the  form  A.r  < —  A.ri.r 2.  l.e..  the  principal  on  the  right,  B,  must  be  the  same 
as  the  principal  on  the  left,  A.  This  benefits  discovery  of  proofs  of  role  membership,  called  credential  chains.  It  does  not  limit 
expressive  power,  as  A  can  simply  issue  the  statement  A.r\  < —  B.r\  to  achieve  the  same  effect  as  the  form  introduced  here.  We 
allow  the  more  general  syntactic  form  here  because  doing  so  simplifies  many  examples. 


7 


part(a):  EPub.discount  EPub.university.student 
part(b):  EPub. university  ABU.accredited  StateU 

(3)  (4) 

part(c):  StateU.student  <—  RegistrarB. student  < — -  Alice 
Here,  part(b)  shows  that  StateU  has  the  attribute  on  the  basis  of  which  EPub  delegates  to  StateU  the 
authority  to  identify  students.  In  this  way,  it  connects  part  (a)  and  part(c)  into  a  chain.  Thus  the  example 
illustrates  how  attribute -based  delegation  promises  flexibility  and  scalability.  (Admittedly,  the  example  also 
illustrates  the  fact  that  attribute -based  delegation  requires  that  all  universities  use  the  same  role  name  to 
define  their  student  roles,  which  requires  cooperation  among  all  universities  if  their  students  are  to  receive 
the  discount.) 

Given  a  set  of  RT  policy  statements,  each  statement  is  of  the  form  A.r  < —  A  in  which  A  £  {D,  B.r , 
B.r\.r2 ,  B.r i  n  C.r  2 } .  We  call  the  left  hand  side  of  the  arrow,  A.r,  the  defined  role.  For  any  A  of  the  form 
D,  B.r  B.r\.r2,  or  B.r\  n  C.r 2,  we  call  A  a  role  expression.  Given  a  role  expression  of  the  form  B.r\T2, 
B.r i  .7'2  is  called  a  linked  role  expression,  B.r±  is  the  base-linked  role,  and  each  role  of  the  form  X :r 2  is 
called  a  sub-linked  role  if  the  given  set  of  policy  statements  makes  X  a  member  of  B.r \. 

An  RT  policy  or  policy  state  V  is  a  set  of  RT  policy  statements.  We  denote  the  set  of  role  names 
occurring  in  V  by  Names(T’);  we  denote  the  set  of  principals  in  V  by  Principals^);  we  denote  the  set  of 
roles  of  V  by  Roles(T’)  =  {A.r  \  A  £  Principals(T’)  A  r  €  NamesCP)}.  Note  that  roles  in  Roles(T’) 
do  not  necessarily  appear  in  V,  but  are  constructed  from  principals  and  role  names  that  do.  We  denote  the 
restriction  of  a  policy  V  to  a  given  set  of  roles  r  by  V  [r  =  { A.r  A-  A  £  V  \  A.r  £  r}. 

The  semantics  of  RT  can  be  constructed  in  many  equivalent  ways.  One  of  these  is  to  transform  a  policy 
into  a  DATALOG  program,  which  has  a  well  defined  semantics  that  can  be  computed  as  a  fixpoint  of  an 
operator  called  Tp  in  which  P  is  the  program.  For  our  purposes,  our  proofs  arc  more  concise  if  we  skip  the 
transformation  to  DATALOG  and  simply  construct  the  semantics  of  V  directly  as  a  fixpoint  of  a  valiant  of 
this  operator,  Tp,  in  which  V  is  an  RT  policy. 

We  define  the  semantics  of  RT  policy  V  by  a  function  that  takes  a  role  and  returns  a  set  of  principals 
(the  role’s  members).  It  is  denoted  by  [-]p  :  T(V),  in  which  1(V)  =  Roles(T’)  —y  p(Principals(T’))  and 
p  denotes  powerset.  So  for  instance  f/i.rij-p  yields  the  set  of  principals  in  role  B.r\  under  policy  V.  The 
set  of  functions  of  type  T(V)  can  be  ordered  by  rq  C  1/2  iff  i?i  (A.r)  C  7/2 (A.r)  for  all  A.r  £  Roles(T’) 
and  i]i,r)2  ■  T('P).  It  is  easy  to  see  that  (HP).  C)  forms  a  complete  lattice.  The  function  [-]p  can  now  be 
constructed  by  taking  the  least  fixpoint  of  a  monotonic  function  over  functions,  Tp  :  T(P>)  -y  HP). 

Definition  1  (Semantics  of  RT)  The  Tp  operator  is  defined  as  follows.  Given  any  p  £  T(V)  and  any 
A.r  £  Roles(T’), 

Tp(p)\A.r\  =  {D  |  A.r  A-  D  £  V  V 

(A.r  A-  B.ri  £  V  A  D  £  p\B.r\\)  V 

(A.r  A-  B.r\.r2  £  V  A  3Z.Z  £  r]\B.r\\  A  D  £  pfZ.r 2])  V 

(A.r  B.r\  FI  C.r 2  £  V  A  D  £  p\B.r\\  A  D  £  t?[C.r2])} 

The  least  fixpoint  ofTp  can  be  computed  by  constructing  the  Kleene  sequence  as  follows: 

Tp  t°  =  poi  in  which  7/0 [A.r]  =  0  for  all  A.r  £  Roles(T) 

Tp  f+1  =  Tp(Tv  f) 

The  limit  of  this  sequence,  Tp  fA  is  given  by  Tp  tw[A.r]  =  Uj  <  u  Tp  t*[A.r],  for  all  A.r  £  Roles(T’). 
Because  Tp  is  monotonic,  Tp  f*  is  an  increasing  sequence  and  because  the  number  of  principals  and  role 


names  in  V  is  finite,  Tp  f*  converges  at  some  finite  stage  i.  We  now  define  the  semantics  as  the  function  [-]-p 
that  given  any  role  B.r\,  is  defined  by  [S.rijp  =  Tp 

2.2  RT  Policy  Analysis 

The  policy  analysis  we  study  [21]  determines  whether  a  specified  subset  relationship  between  roles  holds 
in  all  reachable  states.  We  make  the  notion  of  reachability  precise  below;  loosely  speaking  a  policy  state 
is  reachable  from  V  if  it  can  be  obtained  from  V  by  changing  policy  statements  defining  roles  that  arc  not 
explicitly  assumed  to  remain  unchanged. 

A  query  asks  whether  a  set  containments  holds  in  all  reachable  states  V .  Because  the  containment 
must  hold  in  all  reachable  states,  we  use  a  notation  for  queries  that  is  reminicent  of  but  distinct  from  subset 
notation:  q  □  A  in  which  each  of  n  and  A  is  either  a  role  or  an  explicit  (constant)  sets  of  principals.  For 
instance,  X.u  □  A.r  holds  if  each  member  of  A.r  is  a  member  of  X.u  in  every  policy  state  V'  reachable 
from  V,  /.<?.,  [ArJ-p/  D  [A.-uJ-p/.  Queries  of  this  form  can  be  used  to  express  many  important  kinds  of 
security  properties,  including  availability,  safety,  liveness  and  mutual  exclusion.  These  queries  can  be  used 
to  express  security  objectives  of  the  entity  running  the  analysis.  For  instance,  one  important  safety  property 
might  be  verified  by  posing  the  query  employee  □  accessSecretDB.  The  answer  “yes”  means  that  no 
one  outside  the  company  has  access  to  the  secret  database  in  any  reachable  state.  Note  that  containment 
queries  such  as  this  are  strictly  more  powerful  that  the  classical  safety  problem,  which  asks  whether  a 
particular  individual,  say  Alice,  is  a  member  of  a  given  role,  say  B.r\,  in  any  reachable  state.  This  problem 
can  be  encoded  by  adding  two  new  auxiliary  roles  C.r-2  and  D.r^,  each  defined  by  a  single  statement. 
Cay  < —  Alice  and  D.rs  t —  B.r\  n  C.r 2,  and  posing  the  query  {}  □  D.r%. 

Reachability  is  defined  precisely  as  follows.  A  restriction  rule  is  given  by  a  pair  of  sets  of  roles  7 Z  = 
(Gp,  <Sp).  Roles  in  Qp  are  said  to  be  growth-restricted,  and  it  is  assumed  that  these  roles  will  have  no  new 
statements  defining  them  added  in  a  state  transition.  Shrink-restricted  roles  (Sp)  are  assumed  not  to  have 
statements  defining  them  removed. 

Definition  2  We  say  that  V'  is  reachable  from  V  under  7 Z  if  V  \gn  C  V  and  V\sn  3  V' .  In  this  case  we 
write  V  efip  V' . 

We  can  now  define  the  role-containment  problem. 

Definition  3  (RCPI)  A  role-containment  problem  instance  (RCPI)  is  given  by  a  triple  1 r  =  (V .  72.  Q),  in 
which  V  is  a  policy,  IZ  is  a  restriction  rule,  and  for  some  X.u,  A.r  £  Roles  (V  ),  Q  =  X.u  □  A.r.  The 
RCPI  7r  =  (V,  IZ,  X.u  3  A.r)  is  said  to  be  satisfied  if  and  only  if  [A.rrjp/  D  [A.r]p/  for  each  V'  such 
that  V  Gsp  V' .  In  this  case  we  also  say  that  V  satisfies  X.u  □  A.r  under  IZ.  The  question  part  of  the 
role-containment  problem  asks  whether  this  is  the  case. 

One  usage  of  the  role-containment  problem  is  in  the  maintenance  of  security  objectives  as  uncooperative 
principals  modify  the  definitions  of  the  roles  they  own.  The  presumption  is  that  the  owners  of  shrink-  and 
growth-restricted  roles  cooperate  in  maintaining  the  security  objectives  by  not  committing  policy  changes 
that  violate  IZ  without  first  running  the  analysis.  This  analysis  consists  of  posing  the  queries  that  verify 
security  objectives  will  continue  to  be  met  as  the  definitions  of  other  roles  are  changed. 

Note  that  the  assumptions  expressed  by  the  restriction  rule  are  not  enforced  by  an  administrative  policy. 
They  are  simply  assumptions  under  which  the  analysis  is  performed.  Intuitively,  their  presence  enables  the 
analysis  to  provide  us  with  assurance  of  statements  such  as,  “So  long  as  people  I  trust  do  not  make  certain 
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changes  to  the  definitions  of  certain  roles  under  their  control  without  first  verifying  the  security  objective 
given  by  the  query  employee  □  accessSecretDB,  only  company  employees  will  be  able  to  access  the  secret 
database.” 

As  noted  in  the  introduction,  queries  of  certain  restricted  forms  can  be  analyzed  and  verified  efficiently, 
i.e.,  in  polynomial  time.  These  include  queries  in  which  at  least  one  of  g  and  A  is  an  explicit,  constant  set 
of  principals  given  in  the  query  [21],  Thus  the  classical  safety  problem  can  be  answered  in  polynomial  time 
in  RT.  Queries  can  also  be  answered  in  polynomial  time  if  policy  states  are  restricted  to  contain  only  Type 
I  and  Type  II  statements.  However,  when  both  g  and  A  arc  roles  and  all  forms  of  statements  arc  allowed, 
the  decision  problem  is  EXPTIME-complete  [36].  This  is  unfortunate  because  the  properties  that  can  be 
expressed  by  using  such  queries  arc  extremely  useful,  as  illustrated  by  the  secret  database  example  we  have 
discussed  just  above  and  in  the  introduction.  Thus  we  seek  techniques  that  can  solve  queries  of  this  general 
form  as  often  as  possible  and  assess  the  limits  of  the  techniques  we  design. 

2.3  Prior  State  Space  Reductions 

We  make  extensive  use  of  two  prior  results  that  limit  the  space  of  reachable  states  that  must  be  explored  to 
yield  a  complete  RCPI  decision.  The  first  justifies  adding  only  simple  member  statements  when  constructing 
reachable  policy  states. 

Theorem  4  ([21])  Given  an  RCPI  (V,  72,  X.u  □  A.r ),  if  X.u  does  not  contain  A.r,  then  there  exists  a  V' 
reachable  from  V  and  principal  E  such  that  E  G  [A.  r\v>  E  0  [XT.uJpr,  V'  —  V  has  only  simple  member 
statements,  and  V'  uses  only  roles  names  in  V. 

The  second  prior  result  limits  the  size  of  the  policy  state  space  that  must  be  explored  to  determine 
whether  an  RCPI  is  satisfied.  This  result  established  an  upper  bound  on  the  complexity  of  the  role  contain¬ 
ment  problem,  though  Sistla  and  Zhou  [36,  37]  later  showed  a  tighter,  precise  upper  bound. 

Any  analysis  technique  that  operates  by  exhaustively  examining  reachable  states  must  address  the  fact 
that  in  our  analysis  problem  the  size  of  reachable  policy  states  is  unbounded,  and  hence  the  state  space 
is  infinite.  The  following  definition  and  theorem  establish  a  bound  on  the  size  of  the  states  that  must  be 
considered. 

Definition  5  (J\f(n))  Given  any  RCPI  n  =  (V,IZ,  X.u  □  A.r),  let  =  {A.r  i —  D  \  A.r  0  Gn  A  r  G 
Names^)  A  A,  D  G  Principals^)  U  NewPrinc(7r)},  in  which  NewPrinc(7r)  is  a  set  of  new  principals, 
disjoint  from  Principals^)  U  Principals(72)  and  whose  cardinality  is  of  size  2lSlgRoles(7r)l,  and  SigRoles(7r) 
is  the  set  {X.u}  U  {B\.r\  \  B.r< — B1.r1.r2  G  V}  U  {B\.r\,  B2T2  \  B:r< — B\.r\  Cl  B2T2  G  V}. 

Theorem  6  ([21])  Given  any  RCPI  it  =  (V,  72,  X.u  □  A.r),  7 r  is  not  satisfied  if  and  only  if  there  exists 
a  V"  such  that  V  vf-R  V" ,  V"  CPU  M  (ir)  and  there  exists  a  principal  E  such  that  E  G  [A.r]p»  and 
EtflX.u]v„. 

While  the  theorem  as  stated  here  differs  from  that  of  Li  el  al.  [21],  it  follows  easily  as  a  corollary  based 
on  the  proof  given  there6. 

6The  theorem  of  Li  et  al.  states  that  the  problem  we  study  is  in  coNEXP. 
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3  Reductions 


This  section  describes  several  reductions  that  transform  one  RCPI  into  another  that  is  typically  less  expensive 
to  evaluate.  These  techniques  in  many  cases  enable  us  to  reduce  the  size  of  the  state  space  that  must  be 
explored.  The  idea  is  that  given  an  initial  state  V,  we  can  often  perform  the  analysis  using  a  smaller  initial 
state  and  obtain  identical  results.  Our  findings  in  Section  8  indicate  that,  when  using  our  model  checking 
technique  and  our  platform  configuration,  these  reductions  often  make  the  difference  between  being  unable 
to  evaluate  an  RCPI  and  being  able  to  do  so.  Furthermore,  we  conjecture  that  they  may  be  applied  in  general 
to  increase  the  efficiency  of  other  RCPI-solving  approaches,  such  as  one  based  on  the  proof  method  of  Sistla 
and  Zhou  [36,  37], 

3.1  Cone  of  Influence  Reduction 

A  given  RCPI  (V,7 Z,X.u  □  A.r)  may  contain  statements  in  V  that  arc  unnecessary  for  determining  the 
satisfiability  of  an  RCPI.  Such  extraneous  statements  can  safely  be  removed  in  order  to  reduce  the  com¬ 
plexity  of  the  problem.  This  reduction  removes  statements  that  arc  said  to  be  outside  of  the  queries’  cone  of 
influence  ( COI ),  but  goes  well  beyond  the  cone  of  influence  commonly  associated  with  model  checking  [8]. 
Our  version  is  tailored  to  role  containment  policy  analysis,  but  it  is  not  so  specific  that  it  cannot  be  leveraged 
by  other  analysis  techniques  outside  of  model  checking.  We  describe  the  specific  differences  at  the  end  of 
this  section. 

Our  COI  reduction  accomplishes  three  goals.  First,  it  removes  any  statement  that  does  not  contribute  to 
the  membership  of  the  queried  roles.  Second,  it  modifies  77  to  constrain  the  reachable  policy  state  space  in 
a  safe  manner.  Finally,  it  omits  certain  statements  whose  influence  on  a  queried  role  is  accounted  for  by  77. 
Thus  our  reduction  takes  as  input  an  RCPI  ( V ,  77.  X.u  □  A.r )  and  constructs  a  new  RCPI  (V ,  77',  X.u  □ 
A.r )  that  produces  the  same  answer.  The  significance  of  this  reduction  is  that  it  has  the  potential  to  remove 
linked  role  or  intersection  inclusion  type  statements  that  enlarge  the  number  of  principals  necessary  to  satisfy 
the  RCPI,  and  in  doing  so  increases  the  size  of  the  model  checking  state  space.  It  is  also  significant  because 
this  reduction  is  not  specific  to  our  model  checking  analysis  approach,  but  rather  can  be  leveraged  by  other 
analysis  techniques.  We  begin  by  describing  COI  with  a  high  level  description  and  an  example,  followed 
by  the  formal  definition  and  proof  of  correctness. 

Speaking  informally,  we  use  the  terms  influence  or  depends  on  to  express  the  idea  that  in  order  to 
determine  the  membership  of  one  role  A  in  any  given  state  V .  you  would  need  to  consider  some  V'  C  V. 
We  say  only  these  statements  V',  and  the  roles  they  define,  influence  the  membership  of  A,  or  that  A  depends 
only  on  these  statements  V' .  It  is  not  required  that  a  statement  actually  introduce  any  principal  into  A  to  be 
influential,  only  that  such  a  statement  defines  A  directly  or  indirectly  through  other  roles. 

The  COI  (( V ,  77,  X.u  □  A.r))  retains  from  V  those  statements  that  influence  the  memberships  of  the 
queried  roles.  Recall  that  role  containment  analysis  involves  the  exploration  of  states  reachable  from  V , 
where  we  seek  to  find  some  counterexample  state  V"  and  E  such  that  E  £  [A.rjp//  —  [X.ujp//.  Observe 
from  this  definition  that  we  can  assist  in  this  exploration  of  policy  states  by  reducing  the  membership  of 
X.u  and  enlarging  the  membership  of  A.r.  This  can  be  achieved  by  constructing  the  union  of  two  sets 
of  statements  from  V.  The  first  set  of  statements  minimizes  the  membership  of  X.u  by  including  only 
those  statements  that  influence  X.u  and  define  shrink  restricted  roles.  This  set  excludes  unnecessary  and 
removable  statements  to  reduce  the  membership  of  X.u.  The  second  set  of  statements  attempts  to  enlarge 
the  membership  of  A.r  by  including  only  those  statements  that  influence  A.r  and  define  growth  restricted 
roles.  Observe  that  such  a  statement  may  define  a  growth  restricted  role  so  that  it  depends  upon  non-growth 
restricted  roles,  thus  providing  a  means  of  enlarging  the  membership  of  A.r.  Any  statement  that  influences 
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A.r  but  does  not  define  a  growth  restricted  role  can  be  safely  excluded  because  it  cannot  introduce  anything 
into  A.r  that  could  not  be  introduced  directly.  Taking  the  union  of  these  two  sets  of  statements  ensures  that 
every  statement  that  influences  either  X.u  or  A.r  is  included  in  the  reduced  policy  V . 

Our  COI  reduction  produces  not  only  a  reduced  V' ,  but  it  also  constructs  7 Z'  by  adding  roles  to  7 2 
in  such  a  way  as  to  safely  reduce  the  number  of  reachable  policy  states  we  would  need  to  examine  under 
analysis.  We  calculate  the  set  of  roles  T  that  contribute  only  to  the  membership  of  X.u  and  not  A.r,  and 
define  Q'R  =  Gp  LJ  I’.  Clearly  such  a  change  will  only  affect  the  membership  of  X.u  and  ensure  that  we 
avoid  examining  policy  states  where  E  happens  to  be  in  X.u,  but  is  not  forced  to  be  in  X.u.  Recall  from 
our  description  of  a  counterexample  state  V"  that  E  0  f  A'.uJ-p//.  This  change  in  7 2  assists  the  search  for  V" 
by  preventing  any  principal  that  is  not  forced  to  be  in  X.u  from  being  introduced  unless  it  was  introduced 
through  some  means  other  than  the  roles  of  T.  Furthermore,  we  calculate  the  set  of  roles  X  that  contributes 
only  to  the  membership  of  A.r  and  not  X.u,  and  define  Sk  =  Sp  U  X.  As  with  the  previous  case,  it  is  clear 
that  such  a  change  will  only  affect  the  membership  of  A.r,  and  that  we  avoid  examining  policy  states  where 
E  happens  to  be  absent  from  A.r.  This  change  in  7 2  assists  in  the  search  for  V"  by  preventing  E  from  being 
removed  in  the  case  that  it  was  introduced  through  X. 

To  illustrate,  consider  the  example  in  Figure  2  where  RCPI  it  =  (V,IZ,X.u  □  A.r)  is  the  initial 
problem,  and  COI (tt)  is  a  new  RCPI  constructed  from  the  application  of  the  Cone  of  Influence  Reduction. 
Let  us  begin  by  comparing  V  and  V'  from  COI  (7r).  We  see  that  this  reduction  removes  statements  7 
through  18,  even  though  many  of  these  statements  define  roles  that  are  growth  or  shrink  restricted.  When 
comparing  the  role  dependency  graph7  of  Figures  2a  and  2b,  it  is  not  difficult  to  understand  that  statements 
16  through  18  were  removed  because  the  memberships  of  X.u  and  A.r  do  not  depend  on  the  memberships 
of  the  roles  defined  by  these  statements.  What  is  less  obvious  is  the  removal  of  statements  7  through  15  since 
the  existence  of  these  statements  does  influence  the  memberships  of  the  queried  roles.  We  examine  this  paid 
of  the  reduction  with  respect  to  X.u  and  A.r.  The  reduction  with  respect  to  X.u  removes  statements  7 
through  12,  while  the  reduction  with  respect  to  A.r  removes  statements  7  and  13  through  15. 

To  understand  why  the  reduction  with  respect  to  X.u  is  safe,  recall  that  we  desire  to  find  a  set  of  policy 
states  that  minimize  the  membership  of  X.u  to  include  only  those  principals  that  are  forced  to  be  in  this 
role.  Principals  not  forced  to  be  in  X.u  do  not  aid  in  the  discovery  of  a  reachable  V"  and  E  such  that  E  £ 
{A.r\Vn  -  [ X.u 1  ■pn .  From  the  role  X.u  in  Figure  2a,  traverse  the  graph  only  along  bold  edges  representing 
statements  that  are  forced  to  be  in  every  policy  state  due  to  Sp.  The  set  of  statements  corresponding  to 
the  traversed  edges  produces  the  minimum  membership  of  X.u.  Thus  statements  0  through  3  would  be  in 
V' ,  but  statements  7  through  11  would  not.  Furthermore,  with  the  removal  of  statement  9,  E.r  no  longer 
influences  X.u,  and  thus  statement  12  may  also  be  removed  despite  the  fact  that  E.r  £  Sp  . 

Now  not  only  do  we  seek  to  remove  such  statements,  but  we  also  desire  to  change  72.  in  a  way  that 
prevents  new  statements  from  introducing  principals  into  X.u.  We  accomplish  this  by  defining  F  as  a  set 
of  roles  that  influence  X.u  but  not  A.r,  where  Gp  =  Qp  U  F.  In  our  example,  F  consists  of  the  set 
{X.u,  C.r ,  D.r,  E.r}.  Clearly  evaluating  policy  states  that  introduce  additional  principals  into  X.u  but  not 

7We  use  role  dependency  graphs  (RDG)  to  illustrate  the  relationships  between  roles  and  between  roles  and  principals.  An  RDG 
is  a  directed  graph  where  each  oval  node  represents  a  role  expression,  i.e.  a  role,  a  linked  role,  the  intersection  of  two  roles,  or  a 
principal.  A  role  is  shaded  if  it  is  growth  restricted.  Each  rectangle  node  represents  a  principal.  Each  directed  edge  represents  a 
dependency  of  one  role  expression  on  another.  A  solid  edge  represents  a  policy  statement,  labeled  with  the  index  of  the  statement. 
An  edge  is  in  bold  signifies  that  the  statement  it  represents  cannot  be  removed  due  to  the  shrink  restriction.  A  dashed  edge  represents 
the  dependency  of  a  linked  role  on  its  base-linked  role.  Intersection  role  expressions  are  depicted  using  &  instead  of  fl.  Two  edges 
originating  at  an  intersection  node  represent  the  decomposition  of  an  intersection  expression;  the  destination  nodes  are  the  two 
intersected  roles.  These  edges  do  not  represent  policy  statements,  but  are  included  simply  to  identify  the  relationship  between  an 
intersection  expression  and  its  components. 
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1Z'  =  S ^> ),  =  Qtz  U  { X.u ,  D.r}, 

S{z  =  Sn  U  {A.r,  F.r} 


a.  7T  =  (V,  1Z,  X.u  □  A.r) 


Figure  2:  Cone  of  influence  example 


A. r  is  unnecessary  because  if  E  exists  in  a  counterexample  state  V" .  then  E  must  not  be  introduced  into 
X.u  through  one  of  these  statements.  Thus  we  need  not  consider  states  that  contain  additional  principals  in 
X.u  but  not  A.r. 

To  understand  why  the  reduction  with  respect  to  A.r  is  safe,  recall  that  we  seek  to  increase  the  mem¬ 
bership  of  A.r  as  much  as  possible  in  order  to  quickly  identify  a  counterexample  should  one  exist.  More 
precisely,  we  seek  to  increase  the  membership  of  A.r  without  influencing  the  membership  of  X.u  (recall 
that  we  simultaneously  attempt  to  minimize  the  membership  of  X.u).  Thus  we  desire  to  modify  the  RCPI  to 
force  as  many  sets  of  principals  into  A.r  so  long  as  doing  so  would  not  affect  the  membership  of  X.u.  One 
approach  involves  identifying  £  as  a  set  of  roles  that  influence  A.r  but  not  X.u,  and  then  adding  this  set  of 
roles  to  <S-r.  In  our  example,  £  includes  {A.r,  F.r,  H.r,  G.r)  and  we  modify  S-r  to  create  STZ  ~  SK  U  S‘ 
In  doing  so,  we  ensure  that  statements  4  through  6  are  present  in  all  states  investigated.  Now  if  we  examine 

B. r  and  F.r  as  roles  that  influence  A.r,  we  see  that  each  of  these  roles  are  not  growth  restricted.  In  the  case 
of  B.r,  it  influences  both  X.u  and  A.r,  so  it  would  not  be  appropriate  to  force  any  particular  membership 
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into  B.r  as  this  may  influence  the  membership  of  X.u.  In  the  case  of  F.r,  statement  13  can  be  omitted  since 
the  effect  it  will  have  on  the  membership  of  Ar  and  X.u  will  be  achieved  through  statements  defining  F.r 
in  reachable  states.  For  example,  consider  any  reachable  state  where  H.r  <—  Q  is  added  to  V,  and  thus  Q 
becomes  a  member  of  A.r.  The  same  effect  can  be  accomplished  by  adding  F.r  <—  Q  to  V  where  0  is  a 
member  of  A.r,  and  X.u  remains  the  same.  We  take  the  union  of  the  policies  produced  by  both  parts  of  this 
reduction.  In  other  words,  a  statement  of  V  is  retained  with  respect  to  IZ  if  and  only  if  it  influences  X.u, 
A.r,  or  both. 

The  definition  of  COI  makes  use  of  a  set,  DefRoles(P,  p,  A4),  consisting  of  roles  on  which  a  queried 
role  p  depends.  The  definition  of  this  set  is  parameterized  by  a  set  of  roles  A4.  It  traverses  roles  in  M.  on 
which  p  depends,  truncating  the  traversal  paths  upon  reaching  roles  not  in  A4.  This  truncation  enables  us  to 
define  COI  aggressively,  retaining  only  those  statements  on  which  p  depends  via  roles  that  are  growth  or 
shrink  restricted.  When  such  truncation  is  not  desired,  the  value  of  M.  given  in  the  use  of  DefRoles  is  the 
set  of  all  roles  in  V . 

Definition  7  Let  p  be  a  role,  M  be  a  set  of  roles,  and  V  be  a  policy.  We  define  DefRolesf'P.  p.  A4 )  to  be  the 
least  set  of  roles  O  satisfying  the  following  conditions: 

•  PeO 

•  (AGO  A  Af-  B.ri  GfA  B.ri  €  M)  =A  B.ri  €  O 

•  (A  e  O  A  A  <—  -B.r1.r2  GfAfiG  PrincipalsfP ))  =A-  ((-B.ri  £  M.  =>•  B.ri  €  O)  A  (D.r2  £ 
M  =>  D.r2  £  O)) 

•  (A  G  0  A  X  <—  B.ri  n  C.r2  £  V)  =>  ((B.ri  £  M  =*►  B.ri  £  O)  A  (C.r2  G  M  =>  C.r2  £  O)) 

Using  DefRoles,  we  define  the  Cone  of  Influence  (COI)  as  a  policy  constructed  from  those  statements 
that  define  roles  in  DefRoles.  In  other  words,  we  retain  only  those  statements  that  influence  the  queried  roles 
and  thus  determine  the  satisfiability  of  the  RCPI. 

Definition  8  Given  an  RCPI  n  =  (V,  IZ.  X.u  □  A.r),  we  define  COI  (it)  =  (V,  IZ' ,  X.u  □  A.r)  in  which 


~  \ DefRo\es(V, X. u, S-ji)  U  DefRo\es(P, A.r, GK)  (1) 

K'  =  (Q'n.S'n)  (2) 

Q'ti  =  Qn  U  (DefRoles(B,  X.u,  Roles('P))  —  DefRoles(B,  A.r,  Roles(B)))  (3) 

S'n  =  Sn  U  (DefRoles(B,  A.r,  Roles('P))  —  DefRoles(B,  X.u,  Roles(B)))  (4) 


The  function  DefRoles  traverses  roles  at  most  once  and  for  each  role  determines  membership  in  IZ. 
Given  a  policy  of  size  n  roles  and  IZ  of  size  k,  the  computational  complexity  is  0(k\ogk  +  nlogk)  in 
general  and  0(n  log  n)  when  the  set  of  roles  in  'R.  is  a  subset  of  the  roles  of  V,  which  is  typically  the  case. 

Theorem  9  Given  any  RCPI  tt  =  (V.  IZ ,  X.u  □  A.r),  COI(it)  is  satisfied  if  and  only  if  n  is  satisfied .8 

Our  reduction  is  distinct  from  the  cone  of  influence  technique  expected  in  model  checking.  In  model 
checking  [8],  “the  cone  of  influence  reduction  attempts  to  decrease  the  size  of  the  state  transition  graph  by 
focusing  on  the  variables  of  the  system  that  arc  referred  to  in  the  specification.”  Our  version  also  excludes 
variables  (policy  state,  role  membership)  that  do  not  influence  the  specification,  however  it  goes  further 

8Proof  for  this  and  subsequent  theorems  are  given  in  the  Appendix. 
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in  two  important  ways.  First,  it  recognizes  that  the  removal  of  linked  inclusion  and  intersection  inclusion 
statements  safely  reduces  the  state  space  by  considering  fewer  principals.  Second,  it  safely  reduces  the 
state  space  by  conservatively  modifying  1Z.  Thus  our  approach  subsumes  the  common  cone  of  influence 
technique. 

3.2  Empty  Role  Reduction 

The  empty  role  reduction  removes  policy  statements  that  use  in  their  bodies  roles  that  have  no  members  in 
any  reachable  state.  While  such  roles  may  be  uncommon  in  original  RCPIs,  the  COI  reduction  can  create 
them.  Thus,  the  two  reductions  can  interact  to  yield  better  results  than  either  one  alone. 

By  empty  role,  we  refer  to  a  role  whose  membership  is  empty.  If  we  can  show  that  the  membership  of  a 
given  role  will  be  empty  in  every  reachable  state,  then  we  can  remove  statements  that  reference  this  role  in 
their  body  since  the  statement  cannot  contribute  to  the  membership  of  any  other  role.  For  example,  suppose 
that  A.r  B.r  is  the  sole  statement  defining  role  A.r  and  that  the  B.r  is  defined  by  no  statements  and  is 
growth  restricted.  In  this  case,  the  membership  of  B.r  will  be  empty  in  all  reachable  policy  states,  so  the 
statement  A.r  <—  B.r  can  safely  be  removed. 

The  above  simple  case  can  be  generalized  to  situations  in  which  the  statements  defining  a  collection  of 
growth-restricted  roles  form  a  strongly  connected  component  that  depends  on  no  outside  roles.  A  simple 
example  of  such  a  policy  that  contains  a  single  cycle  is  shown  in  Figure  3.  This  policy  contains  a  cyclic 
dependency  created  by  statements  4,  5  and  6.  (Recall  that  the  arc  from  C.r&D.r  to  C.r  does  not  represent  a 
policy  statement.)  In  this  case,  because  the  roles  that  form  the  cycle  arc  growth  restricted  and  arc  not  defined 
by  any  statements  that  do  not  participate  in  the  cycle,  all  these  roles,  their  definitions,  and  statements  that 
use  them  can  safely  be  removed  from  the  initial  policy.  Clearly  B.r,  D.r,  and  E.r  have  no  members  in  any 
reachable  policy  state. 

Rather  than  rely  on  syntactic  means  to  identify  such  roles,  we  make  use  of  a  program  transformation  due 
to  Li  et  al.  called  the  Upper  Bound  Program  and  denoted  by  UB(V )  [21].  Li  introduces  this  transformation 
for  the  puipose  of  efficiently  evaluating  queries  in  which  only  the  right-hand  argument  to  □  is  a  role.  In 
this  case,  it  is  sufficient  to  compute  a  representation  of  the  largest  membership  that  this  role  can  have  in 
a  reachable  policy  state.  (Because  the  membership  of  growth-unrestricted  roles  can  be  unbounded  and 
contain  arbitrary  principals  added  in  reachable  policies,  a  special  pseudo-principal  T  is  added  during  the 
transformation  that  denotes  any  (finite)  set  of  principals.  Any  unrestricted  role  will  have  T  among  its 
members,  representing  the  fact  that  the  role’s  membership  can  be  an  arbitrarily  large  set.) 

When  the  role  membership  is  computed  for  the  transformed  program  UB(V),  any  role  that  is  found  to 
be  empty  will  be  empty  under  all  reachable  policy  states.  Because  of  the  correctness  result  for  UB(V),  these 
are  exactly  the  roles  that  the  empty  role  reduction  should  eliminate  from  the  initial  policy.  That  is,  each 
statement  that  uses  any  of  these  roles  in  its  body  should  be  removed.  This  is  a  novel  use  of  UB(V),  which 
was  designed  for  the  purpose  of  answering  queries,  not  transforming  initial  policies  as  we  arc  using  it  here. 
In  the  example  of  Figure  3,  the  roles  {B.r,  D.r,  E.r}  would  be  identified  as  empty  roles  under  the  UB(T) 
program  and  thus  statements  such  as  4,  5  and  6  that  reference  these  roles  would  be  removed.  The  empty  role 
reduction  ERR(V,  7 Z)  is  defined  as  follows. 

Definition  10  Given  a  policy  V  and  restriction  rule  1Z,  the  result  of  the  empty  role  reduction  on  these  values 
is  given  by  ERR(V,TZ)  =  {A  A-  e  G  T  |  e  G  {B.r,  B.r.r\,B.r  n  C.r\,C.r\  n  B.r}  A  [ B.r\UB(j>)  f  0}. 

There  arc  two  additional  points  to  be  made  regarding  the  application  reductions  to  the  example  of  Fig¬ 
ure  3.  First,  the  COI  reduction  does  not  simplify  the  initial  policy  because  B.r,  D.r,  and  E.r  each  influence 
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b.  <70/ (vr) 


Figure  3:  Empty  role  reduction  example 


c.  ERR  (P) 


the  membership  of  both  queried  roles.  Second,  the  empty  role  reduction  safely  removes  statement  0  despite 
the  fact  that  X.u  is  shrink  restricted.  This  is  possible  because  B.r  is  always  empty  and  thus  no  principals 
can  be  introduced  through  statement  0.  We  now  formally  prove  the  correctness  of  this  reduction. 

Theorem  11  Let  V  be  any  policy  and  1Z  be  any  restriction  rule.  (1)  For  all  V'  such  that  V  Ar  V'  and 
V'  —  V  contains  type  1  statements  only,  there  exists  V"  such  that  ERR(V,  1Z)  Ar.  V" ,  V"  —  ERR(V ,  1Z) 
contains  type  1  statements  only,  and  for  all  B.r  £  RolesfP/)  U  Roles('P,,)>  \B.  rjv  =  \B.r\-pn.  Conversely, 
it  is  also  the  case  that  (2)  for  all  V"  such  that  ERRfP ,  7Z)  A n  V"  and  V"  —  ERR(V,  7Z)  contains  type  1 
statements  only,  then  there  exists  V'  such  that  V  A-r.  V' ,  V  —  V  contains  type  1  statements  only,  and  for 
all  B.r  e  Roles(P),  {B.rJv>  =  \B.r\pn. 
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The  computational  complexity  of  UB(V )  is  0(n3)  [21],  the  construction  of  a  balanced  tree  of  identified 
empty  roles  is  0(n  log  n)  since  there  are  at  most  0(n )  roles.  Iterating  through  the  policy  statements, 
we  incur  the  cost  of  0(n  log  n)  to  identify  and  remove  statements  that  reference  empty  roles.  Thus  the 
computational  complexity  of  this  reduction  is  bounded  by  0(n3). 

3.3  Decomposition 

It  is  sometimes  useful  to  decompose  an  RCPI  into  sub-problems  that  can  be  solved  separately.  The  member¬ 
ship  of  A.r  is  the  union  of  [ejj-p  for  i  =  1 . . .  n  in  which  e\ . . .  en  enumerates  {e  |  A.r  <-e£  V}.  Observe 
that  if  A.r  is  growth  and  shrink  restricted,  then  for  each  reachable  state  V'  and  each  principal  E  £  [/l.rj-p/, 
there  is  some  i  £  {1  ...  n\  such  that  E  £  By  isolating  a  through  the  use  of  a  new  role  A! .r',  we 

construct  from  a  given  RCPI  a  collection  of  new  RCPIs  such  that  the  original  is  satisfied  just  in  case  each 
RCPI  in  the  collection  is  satisfied.  The  decomposed  RCPIs  can  sometimes  be  successfully  solved  by  our 
analysis  tool  when  the  original  cannot.  We  first  illustrate  this  reduction  with  the  following  example  and  then 
examine  the  formal  definition  and  proof. 

Consider  the  example  in  Figure  4  where  V  is  the  initial  policy,  and  RCPI  tt\  =  (V' .  72.  X.u  □  B.r), 
RCPI  7T2  =  (V .  72.  X.u  □  C.r),  and  RCPI  7r3  =  (V .  72',  X.u  □  A' :r')  are  three  decomposed,  sub-problem 
instances  of  the  role  containment  problem.  A  theorem  presented  below  shows  that  it  =  (' P ,  72.  X.u  □  A.r) 
is  satisfied  if  and  only  if  these  three  instances  of  the  role  containment  problem  satisfied.  It  is  interesting  to 
note  that  the  COI  reduction  is  unable  to  remove  any  statements  in  this  example  because  all  of  the  statements 
influencing  X.u  define  shrink  restricted  roles,  and  all  of  the  statements  influencing  A.r,  but  not  X.u,  define 
growth  restricted  roles.  In  general,  the  Decompose  technique  does  not  remove  statements  as  does  COI, 
but  instead  constructs  a  set  of  RCPIs,  each  with  a  subset  of  statements  from  the  original  RCPI  plus  at  most 
one  new  statement  defining  the  temporary  role  A'  .r'.  This  new  statement  is  a  replacement  for  an  existing 
statement,  such  as  statement  1 1  in  Figure  4d  is  a  replacement  for  statement  3  in  Figure  4a. 

One  of  the  characteristics  of  this  technique  is  that  any  sub-problem  is  no  more  expensive  to  analyze  than 
the  original  RCPI  since  each  sub-problem  is  effectively  a  subset  of  the  original.  We  can  express  analysis  ef¬ 
fort  primarily  by  the  cardinality  of  the  elements  in  SigRoles,  as  discussed  in  Section  2.  It  is  beneficial  to  find 
counterexamples  in  simpler  sub-problems  in  paid  due  to  the  total  analysis  effort  required,  but  also  because 
a  small  sub-problem  naturally  narrows  the  scope  of  the  counterexample,  allowing  a  policy  analyst  to  focus 
on  a  particular  paid  of  the  policy  for  correction.  In  our  example,  we  can  identify  a  counterexample  in  Figure 
4c  where  some  principal  E  becomes  a  member  of  Y.r  but  is  not  a  member  of  J.r.  A  counterexample  in  this 
instance  is  easier  to  expose  than  in  the  instance  of  Figure  4d  because  only  16  new  principals  (4  significant 
roles,  24  principals)  were  sufficient  to  show  satisfiability  in  this  instance  rather  than  64  new  principals  (6 
significant  roles,  26  principals).  Furthermore,  the  fact  that  a  counterexample  was  found  suggests  that  ana¬ 
lysts  may  focus  their  policy  correction  attention  on  those  roles  and  statements  from  this  instance,  as  opposed 
to  other  roles  and  statements  from  the  original  policy. 

Now  consider  the  example  in  Figure  5  where  V  is  the  initial  policy,  and  the  Decompose  technique 
constructs  four  sub-problem  instances.  This  example  differs  from  the  previous  in  that  Decompose  has  been 
applied  twice.  It  is  not  difficult  to  see  that  when  we  apply  Decompose  once,  one  of  the  constructed  sub¬ 
problem  instances  would  be  X.u  □  C.r)  (not  illustrated).  We  are  able  to  apply  Decompose  once 

more  and  produce  two  additional  instances,  as  illustrated  by  Figures  5b  and  c.  Thus  (V1 ,  72,  X.u  □  G.r)  is 
satisfied  if  and  only  if  (V' ,  72,  X.u  □  H.r)  and  (V' ,  72,  X.u  □  I.r)  are  satisfied.  Thus  we  demonstrate  how 
this  technique  can  be  iteratively  applied  to  produce  potentially  simpler  RCPIs. 

We  now  formally  describe  this  reduction.  Decompose  constructs  the  collection  of  new  RCPIs. 
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d.  7T3 


Figure  4:  Decomposition  example  1 


Figure  5:  Decomposition  example  2 


Definition  12  Given  an  RCPI  (V,  TZ.  X.u  □  A.r),  let  A'  be  a  new  principal  not  in  V  and  r'  be  a  new  role 
name  not  in  V.  We  define  Decompose({V ,TZ,  X.u  □  A.r))  =  {(V ,7Z,  X.u  □  p)  \  A.r  -t—  p  £  V  A  p  G 
Roles}  U  {(V  U  {A!  .r'  -t—  e},  (Gn  U  {A! .r'},Sn  U  {A! .r'}),  X.u  □  A! .r')  \  A.r  <—  e  E  V  A  e  0  Roles}. 

Note  that  each  of  the  new  policies  contains  at  most  one  occurrence  of  A' :r' ,  and  that  there  is  no  occur¬ 
rence  of  either  A '  or  r'  in  any  statement  body.  Furthermore,  when  e  is  a  role,  we  do  not  make  use  of  the  new 
role  A'  .r'.  We  now  formally  describe  the  relationship  between  the  solution  to  the  original  RCP  instance  and 
the  solutions  of  the  new  problems. 

Theorem  13  Given  an  RCPI  { V ,  1Z,  X.u  □  A.r),  if  A.r  G  G-r  FI  Sn,  then  V  satisfies  X.u  □  .4 . r  under  7 Z 
if  and  only  ifV1  satisfies  X.u  □  p  under  TZ!  for  each  (V1 , 7 Z' ,  X.u  □  p)  G  DecomposefiP ,  7 Z,  X.u  □  A.r). 

Observe  that  Decompose  may  be  applied  iteratively  to  each  new  RCPI  and  potentially  constructing  even 
more  new  RCPIs.  Assume  the  size  of  the  policy  V  is  given  by  n,  the  number  of  roles  in  7 Z  is  k,  and  the  set 
of  roles  in  TZ  are  stored  in  a  balanced  tree  data  structure  constructed  in  0(k  log  k)  time  with  a  look  up  time 
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of  0( log  k).  A  single  iteration  of  this  reduction  costs  0(k  log  k  +  n  log  A;)  in  general  and  0(n  log  n) 
when  the  set  of  roles  in  1Z  is  a  subset  of  the  roles  of  V ,  which  is  typically  the  case.  This  single  iteration 
takes  a  single  subset  query  role  A.r  and  examines  at  most  O(n)  dependant  roles  and  test  each  of  these  roles 
for  inclusion  in  the  set  1Z.  Thus  the  total  cost  of  iteratively  applying  this  reduction  is  0(n2  log  n)  since  we 
examine  at  most  0(n)  subset  query  roles. 

In  summary,  Decompose  is  a  technique  that  may  allow  an  analyst  to  de-construct  a  given  RCPI  into  a  set 
of  potentially  simpler  RCPI  sub-problems.  The  goal  is  to  find  a  counterexample  in  a  simpler  sub-problem  in 
the  case  that  verifying  the  original  problem  is  beyond  ones  computing  resources.  We  demonstrate  that  this 
technique  provides  three  benefits.  First,  while  none  of  the  sub-problems  arc  guaranteed  to  be  trivial,  we  can 
guarantee  that  each  sub-problem  is  no  more  difficult  to  verify  than  the  original  problem.  Second,  in  the  case 
that  each  sub-problem  can  be  shown  to  be  satisfied,  then  we  can  be  assured  that  the  original  problem  is  also 
satisfied.  Consequently,  if  an  analysis  technique  can  show  that  any  sub-problem  is  not  satisfied,  then  we  can 
be  assured  that  the  original  problem  cannot  be  satisfied.  This  is  significant  because  even  though  an  analysis 
technique  may  not  be  able  to  determine  satisfiability  a  sub-problem  due  to  a  lack  of  resources,  there  may 
exist  another  sub-problem  that  can  be  shown  as  unsatisfied  and  within  resource  constraints.  In  such  a  case, 
we  can  conclude  that  the  original  problem  is  unsatisfiable.  Finally,  this  technique  can  be  applied  iteratively 
to  further  de-construct  sub-problems  into  potentially  even  simpler  problems. 

3.4  Other  Possible  Reductions 

It  seems  likely  that  a  further  reduction  could  be  defined  and  verified  that  would  have  the  potential  to  reduce 
the  number  of  principals  in  the  policy  paid  of  the  RCPI.  Intuitively,  a  policy  that  has  a  lot  of  principals  in  it 
would  be  likely  to  have  an  equivalence  relation  over  principals  that  arc  used  in  exactly  the  same  way.  We 
have  not  invested  significant  effort  in  determining  exactly  how  that  equivalence  relation  should  be  defined 
because,  while  theoretically  interesting,  in  our  view  the  result  would  be  unlikely  to  be  of  great  practical 
significance.  The  principals  it  seems  likely  could  be  eliminated  from  the  policy  by  such  a  reduction  arc 
likely  to  be  added  through  direct  member  statements  to  a  handful  of  roles  the  membership  of  which  would 
change  frequently  ( e.g .,  employee  or  student  roles).  Such  roles  arc  unlikely  to  be  defined  as  growth-  or 
shrink-restricted  exactly  because  they  must  be  modified  frequently.  As  such,  the  direct  member  statements 
would  be  eliminated  by  the  COI  reduction. 

We  have  omitted  discussion  of  another  reduction  that  would  be  simple  to  define  and  to  verify.  This 
reduction  recognizes  via  purely  syntactic  means  statements  that  have  no  effect  on  role  membership.  For 
instance  if  we  have  A.r  < —  B.r\  in  the  policy,  there  is  no  point  in  also  including  A.r  < —  B.r\  n  C.r 2. 
These  reductions  arc  omitted  here  because  they  arc  straightforward  and  unilluminating. 

4  Model  Construction 

This  section  first  presents  corollaries,  definitions,  lemmas,  and  a  theorem  that  show  it  is  sufficient  to  explore 
a  smaller  policy  state  space  than  is  justified  by  prior  results  or  by  those  introduced  above.  These  reductions 
differ  from  those  in  section  3  in  that  they  do  not  transform  one  RCPI  into  another,  but  are  more  low-level.  In 
particular,  they  identify  individual  statements  in  the  reachable  policy  states  that  need  not  be  considered  while 
retaining  a  sound  and  complete  evaluation  of  the  original  RCPI.  The  section  then  proceeds  to  construct  a 
Finite  State  Machine  (FSM)  from  an  RCPI,  which  we  call  the  Analysis  Finite  State  Machine  (AFSM),  which 
can  be  used  by  the  model  checker  to  perform  the  analysis  itself.  Having  presented  an  AFSM  that  can  be  used 
in  the  general  case,  we  discuss  a  specialized  version  of  the  AFSM  that  can  be  applied  to  acyclic  policies 
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Figure  6:  Running  example 


exploiting  opportunities  for  significant  performance  improvement  in  this  case. 

4.1  Policy  State-space  Reductions 

A  naive  implementation  based  directly  on  Theorem  6  would  consider  all  policy  states  V'  satisfying  V'  C 

V  U  AT  (it)  and  V  V .  This  section  seeks  to  reduce  the  number  and  size  of  the  policies  that  need  to 

be  considered  while  preserving  the  soundness  and  completeness  of  the  security  analysis.  We  begin  with  a 
corollary  that  simplifies  slightly  the  statement  of  Theorem  6  by  eliminating  the  reference  to  reachability. 

Corollary  14  Given  an  RCPI,  tt  =  (V  .1Z,  X.u  □  A.r),  there  exists  a  V  such  that  V  A-r  V'  and  there 
exists  a  principal  E  such  that  E  £  [ArJ-p/  and  E  0  [X.ttJ-p/  if  and  only  if  there  exists  a  V"  such  that 
' P\sK  C  V"  C  V  UAf(tr)  and  there  exists  a  principal  E'  such  that  E'  £  [A.r]-p//  and  E'  0  \X.u\-pn. 

Proof.  For  the  “if”  part,  we  need  only  show  that  V  A-r  T>" .  This  follows  from  Definition  2  and  the 
observation  that  (Af(TT)\gn)  =  0. 

For  the  “only  if”  part,  we  show  that  the  V"  that  is  guaranteed  to  exist  by  Theorem  6  satisfies  V\sn  Q 
V"  C  V  U  M(jt).  From  the  theorem,  we  have  that  V  V"  and  V"  CPU  M{tt).  By  Definition  2 

V  i— ^  V"  implies  V\sn  G  V" ,  as  required  to  complete  the  proof.  I 

Consider  the  example  RCPI  tt  given  in  Figure  6a.  When  we  construct  Af( tt),  we  calculate  SigRoles(7r)  = 
{X.u,  C.r},  so  NewPrinc(7r)  contains  22  new  principals.  Letting  NewPrinc(7r)  =  {D,  E,  F,  G},  the  set  of 
roles  defined  by  J\T(tt),  given  by  ({A,  B,C,  D,  E,  F,G,  X}  x  {r,  s,  rt}),  has  24  elements.  When  we  remove 
the  growth  restricted  roles  {A.r,  B.r},  we  are  left  with  22  growth  unrestricted  roles  to  build  simple  member 
statements.  This  construction  yields  |  A/" (A  |  =  176  new  simple  member  statements.  This  number,  along 
with  the  original  3  statements  of  V,  produces  an  upper  bound  of  179  on  the  number  of  statements  in  the 
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policy  states  that  must  be  explored,  and  because  there  is  one  statement  defining  a  shrink  restricted  role,  we 
have  to  examine  at  most  21'8  reachable  policy  states. 

Turning  now  to  our  goal  of  reducing  the  size  of  the  state  space  that  must  be  explored,  we  show  that  Af(n) 
often  contains  a  large  number  of  simple  member  statements  that  need  not  be  considered.  In  particular,  the 
effect  of  many  simple  member  statements  constructed  by  using  principals  in  Principals(P)  can  be  simulated 
by  simple  member  statements  that  instead  use  principals  in  NewPrinc(P).  We  illustrate  this  point  by  making 
three  observations  based  on  the  example  pictured  in  Figure  6. 

First,  a  significant  number  of  new  simple  member  statements  arc  introduced,  defining  eight  sub-linked 
roles  A.s,  B.s,  C.s,  D.s,  E.s,  F.s,  G.s,  X.s.  The  construction  produces  82  statements  based  on  these  roles. 
However,  many  of  these  roles  function  equivalently  with  respect  to  their  capacity  to  generate  a  reachable 
policy  state  that  violates  the  query.  In  this  example,  one  growth  unrestricted  sub-linked  role  is  sufficient  for 
this  purpose.  While  in  general  we  have  been  unable  to  reduce  the  number  of  sub-linked  roles  down  to  one, 
and  we  arc  doubtful  that  doing  so  is  safe  in  the  general  case,  we  do  show  that  many  statements  defining  such 
roles  can  safely  be  eliminated.  Second,  notice  that  the  counterexample  presented  from  the  verification  effort 
can  be  constructed  with  far  fewer  principals.  The  counterexample  in  Figure  6b  uses  only  two  principals. 
In  particular,  principals  in  Principals(P)  that  cannot  form  the  linkage  in  a  linked  role  can  often  be  safely 
be  excluded  from  simple  member  statements,  as  new  principals  can  serve  the  same  function  in  generating 
potential  counterexamples.  Third,  the  construction  above  produces  several  simple  member  statements  such 
as  A.u  4—  B  and  X.r  <—  C  that  define  roles  that  the  memberships  of  queried  roles  do  not  depend  upon. 

In  the  following  two  sections,  we  take  two  steps  to  reduce  the  number  of  policy  states  that  must  be 
considered,  in  each  case  eliminating  the  need  to  consider  several  statements  in  V  U  Af(n).  In  the  first 
section,  we  construct  AF(tt)  C  J\T (it)  that  as  we  prove,  can  be  used  in  place  of  AA(7t)  in  defining  the 
upper  bound  on  policy  states  that  must  be  considered.  N'(i r)  limits  the  number  of  sub-linked  roles  that  arc 
considered,  as  well  as  the  number  of  principals  in  Principals(P)  that  arc  used  to  construct  simple  member 
statements.  In  the  second  section,  we  eliminate  from  consideration  policy  statements  that  cannot  affect  the 
membership  of  queried  roles.  Finally,  a  theorem  demonstrates  the  soundness  of  these  reductions. 

4.1.1  Constraining  Simple  Member  Statement  Principals 

As  illustrated  above,  it  is  often  the  case  that  we  need  not  consider  new  statements  defining  sub-linked 
roles  owned  by  certain  principals  in  Principalsf'P).  These  statements  are  omitted  from  which  is 

constructed  just  below  in  Definition  15.  Specifically,  it  is  unnecessary  to  consider  statements  of  the  form 
F.r\  i —  e  when  r \  £  LinkedRoleNames(P),  in  which  LinkedRoleNames(P)  =  {n  |  3X.3B.3r.X  <— 
B.r.ri  £  P},  provided  F  is  never  introduced  as  a  member  of  any  role  and  F.r\  has  no  statement  defining 
or  referencing  it  in  P.  It  is  also  unnecessary  to  consider  statements  of  the  form  Ai  < —  F  when  F  is  never 
introduced  as  a  member  of  any  role  and  F:r\  has  no  statement  defining  or  referencing  it  in  P  for  any  r\  £ 
LinkedRoleNames(P).  Intuitively,  these  arc  cases  in  which  F.r \  cannot  participate  in  contributing  to  the 
member  of  A  via  the  statement  A < —  B.r.r\.  Before  defining  we  recall  that  for  n  =  (P,  P.  X.u  □ 

A.r),  NewPrinc(7r)  is  a  set  of  new  principals,  disjoint  from  Principals(P)  U  Principals(P),  and  whose 
cardinality  is  of  size  2\Sl9Roles^'>\  in  which  SigRoles(7r)  is  the  set  {X.u}  U  {B\.r\  \  B.r  < —  B1.r1.r2  £ 
P}  U  {B\.r\,  B2S2  |  B.r  < —  B\.r\  n  -£>2-^2  £  P}  and  Principals(P)  is  the  set  of  principals  in  the 
restriction  rule. 
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Definition  15  Given  any  RCPI,  i r  =  (V,  1Z,  X.u  □  A.r),  define  AT '  (it)  as  follows. 

Affix)  ={A.r< —  D  \  A.r  0  Qn  A  r  G  Names(F)  A 
A,D£  Principals(F)  U  NewPrinc(7r)  A 
A.r  0  NoLinkedDefs(F)  A  D  0  NoLinkedPrinc(F)} 

NoLinkedDefs(F)  ={F.r\  \  F  G  Principals(F)  A  rq  G  LinkedRoleNames('P)  A 

F.ri  0  ConcreteRoles(F)  A  VA  G  ConcreteRoles(F).A<s — F  0  F} 

LinkedRoleNames(F)  ={n  |  3A.3F.3r.A  -t—  B.r.ri  G  F} 

NoLinkedPrinc(F)  ={F  |  F  G  Principals(F)  A 

Vri  G  LinkedRoleNames(F).F.ri  0  ConcreteRoles(F)  A 
VA  G  ConcreteRoles(F).A<s — F  0  F} 

ConcreteRoles(F)  ={F.r  |  Elei.F.r  G  ei  G  P  V 

3A  G-  e2  G  F.e2  G  {B.r,  B.r.ri,  B.r  n  C.r\,  C.r\  n  B.r}} 


Intuitively,  ConcreteRoles(F)  is  the  set  of  roles  appearing  in  V;  LinkedRoleNames(F)  is  the  set  of  role 
names  that  appeal-  as  the  second  role  name  in  a  linked  role  B.r.ri  occurring  in  V;  NoLinkedDefs(F)  is  the 
set  of  roles  F.n  not  appearing  in  V  such  that  F  and  n  do  appeal-  in  V ,  n  G  LinkedRoleNames(F),  and  F  is 
not  a  member  of  any  role  in  V\  NoLinkedPrinc(F)  is  the  set  of  principals  in  V  that  cannot  contribute  to  the 
membership  of  a  linked  role  B.r.ri  in  V  as  a  result  of  being  a  member  of  B.r.  Finally,  AT '  is  obtained  from 
AAby  removing  statements  A.r  < —  D  such  that  A.r  ^  NoLinkedDefs(F)  A  D  ^  NoLinkedPrinc(F).  The 
intuition  made  precise  by  the  following  lemma  is  that  the  roles  played  by  such  statements  in  constructing  a 
counterexample  can  be  played  by  statements  constructed  by  using  principals  not  appearing  in  V. 

Consider  the  running  example  RCPI  ir  given  in  Figure  6a.  We  construct  Af'(ir)  by  assuming  that 
NewPrinc(vr)  =  {D,  E,  F,  G}.  By  applying  the  definition,  we  obtain  ConcreteRoles(F)  =  {A.r,  B.r, 
C.r,  X.u},  NoLinkedDefs(F)  =  {As,  B.s,  C.s,  X.s},  and  NoLinkedPrinc(F)  =  {A  B,  C,  X},  which 
is  equivalent  to  Principals(F).  The  set  of  roles  to  construct  simple  member  statements  defined  by  Af'fir) 
contains  18  elements  by  removing  the  4  elements  in  NoLinkedDefs(F)  and  2  growth  restricted  roles  {A.r, 
B.r}  from  the  set  of  roles  given  by  {A  B,  C,  X,  D,  E,  F,  G}  x  {r,  s,  u}.  The  set  of  principals  to  construct 
simple  member  statements  contains  only  the  4  elements  in  NewPrinc(7r).  Thus,  the  construction  yields  18 
x  4  new  statements,  in  addition  to  the  original  3  statements  of  P  in  ir. 

Lemma  16  (Equivalence  of  using  Af  and  A  ')  Let  it  =  (V,  1Z.  X.u  □  A.r)  be  any  RCPI.  There  exists  V' 
and  E  G  Principals^')  such  that  V\sn  C  V  C  V  U  Af{ir),  E  G  [Ar]-p/,  and  E  0  [X.ujp/  if  and  only 
if  there  exists  V”  and  E  G  Principals)^")  such  that  V\sK  Q  V"  Q  (V  UAffn)),  E  G  [A.rjp//,  and 
E  0  {X.v\Vn. 

Note  that  Vis*  C  V"  C  {VC  Affix))  implies  V  4^  V" . 


4.1.2  Reducing  the  Number  of  Roles  that  Need  to  be  Considered 

Lemma  16  tells  us  that  to  determine  whether  an  RCPI  tt  is  satisfied  it  is  sufficient  to  look  for  counterexamples 
V  satisfying  V\sn  C  V  C  [V  IJ  Affix)).  It  is  often  possible  to  substantially  further  reduce  the  number 
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of  policy  states  that  must  be  considered  by  taking  advantage  of  the  fact  that  many  policy  statements  cannot 
affect  the  memberships  of  the  queried  roles.  This  section  shows  how  to  take  advantage  of  this  opportunity. 

To  do  this,  we  make  use  of  a  construction  very  similar  to  that  of  DefRoles.  In  the  policy  states  V" 
under  consideration  in  Corollary  14,  the  set  of  roles  on  which  queried-role  membership  can  depend  includes 
sub-linked  roles  that  arc  constructed  from  new  principals  not  appealing  in  V .  The  set  of  roles  we  require  is 
given  by  DefRoles',  which  we  now  define. 

Definition  17  Let  ir  =  (V.  1Z.  X.u  □  A.r)  be  any  RCPI.  We  denote  by  DefRoles' (7r)  the  least  set  of  roles 
O  satisfying  the  following  conditions: 

•  X.u ,  A.r  £  O 

•  ( A  £  O  A  A  <r-  B.ri  £  V)  =>-  B.ri  £  O 

•  (A  £  O  A  A  £-  B.r\.r2  £?A  D  £  Principals^)  U  NewPrinc(7r))  =£-  ( B.ri  £  O  A  D.r 2  £  O )) 

•  ( A  £  O  A  A  <-  B.rx  n  C.r2  £V)^  {B.r  1  £  O  A  C.r2  £  O) 

As  shown  below,  it  is  sufficient  to  consider  only  policy  states  consisting  of  statements  that  define  roles 
in  DefRoles'(7r).  In  fact,  it  may  not  be  necessary  to  consider  the  initial  policy  state  itself  if  it  contains 
statements  defining  roles  on  which  the  queried  roles  do  not  depend. 

Consider  again  the  RCPI  depicted  in  Figure  6.  In  this  case,  DefRoles' (ir)  =  {A.r,  B.r,  C.r,  X.u,  A.s , 
B.s,  C.s,  D.s,  E.s,  F.s,  G.s,  A.s}.  This  reduces  from  24  to  12  the  number  of  roles  whose  definitions  need 
to  be  considered.  These  12  roles  reduce  by  half  the  24  required  roles  by  the  original  construction  Af(n). 

Lemma  18  (Projecting  onto  DefRoles')  Let  1 r  =  (V,1Z,X.u  □  A.r)  be  any  RCPI.  There  exists  V'  and 
E  £  Principals^')  such  that  E  £  [ArJ-p',  E  0  [A.uJ-p/,  and  P\sn  Q  P'"  C  ( V  U  A/"'(7r)),  if  and  only 
if  there  exists  V"  and  E  £  Principals^")  such  that  E  £  [ArJ-p//,  E  0  \X.u\pn,  and  E  £  [ArJ-p", 
E  0  |  X.uj-p'f,  and  Vls^nDefRoies'W)  ^  'P"  ^  (P  u  Af '  (7r))(  DefRoles'  (it)- 

Proof.  It  is  easily  shown  by  induction  on  the  steps  of  evaluation  of  V1  and  V  \  DefRoles'  M  that  the  membership 
of  roles  in  DefRoles' (7r)  are  identical.  I 

Theorem  19  Given  an  RCPI.  1 r  =  (V,7 Z,X.u  □  A.r),  there  exists  a  V'  such  that  V  A-r  V'  and 
there  exists  a  principal  E  such  that  E  £  [A.r]-p/  and  E  0  [A.itjp/  if  and  only  if  there  exists  V" 
and  E  £  Principals^")  such  that  E  £  [Ar]p//,  E  0  [A.«]p//,  and  and  T’l'^nDefRoiesfijr)  ^  P"  ^ 
(P  u  Af'(ir))\ DefRolesfiTi-)- 

Proof.  Follows  by  applying  Corollary  14,  Lemma  16,  and  Lemma  18.  I 

Note  that  because  of  the  projection  onto  DefRoles' (7r),  this  theorem  enables  us  consider  policy  states 
for  which  it  is  not  necessarily  the  case  that  V  A-r  V" .  Thus,  V"  is  not  generally  a  counterexample  for 
the  original  RCPI,  it.  Theorem  19  tells  us  only  that  a  counterexample  for  7r  exists  if  and  only  if  a  V" 
exists  satisfying  the  requirements  in  the  theorem.  This  is  helpful  because  the  size  of  the  policy  states  that 
must  be  examined  in  finding  V"  is  generally  smaller  than  if  we  omit  the  restriction  to  DefRoles'(7r).  This 
makes  model  checking  more  likely  to  be  successful.  Reachable  states  that  differ  only  in  the  definition  of 
roles  outside  DefRoles' (7r)  do  not  have  to  be  considered  separately  from  one  another.  However,  we  wish  to 
present  to  the  user  not  only  information  as  to  whether  a  counterexample  exists.  When  one  does  exist,  we 
would  like  to  exhibit  it  so  that  the  user  can  identify  the  source  of  the  problem.  The  following  proposition 
enables  us  to  do  so. 
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Proposition  20  Given  a  V"  satisfying  the  requirements  stated  in  Theorem  19,  we  can  construct  V  =  V"  U 
DefRoies'(7r)>  which  satisfies  V  vfi z  V ,  [A?’]p/  =  [Ar]-p//,  and  [V.ujp/  =  \X.u\p",  from  which  it 
follows  that  V'  satisfies  the  requirements  stated  in  Theorem  19. 

Proof.  The  proposition  follows  by  induction  on  the  construction  of  T-p  tw[i?.ri]  and  the  definition  of 
DefRoles'(7r).  I 

Thus  we  can  return  the  V'  identified  in  Proposition  20  to  the  user  as  a  counterexample  to  tt  when  one 
exists.  The  following  definition  formalizes  the  policy  states  that  need  to  be  model  checked  to  determine 
whether  the  query  is  satisfied  by  every  state  that  is  reachable  from  tt.  We  say  that  this  set  is  to  be  evaluated 
(TBE). 

Definition  21  (TBE(7t)  and  MaxTBE(7r))  Given  an  RCP1  n,  we  define  the  set  of  policy  states  to  be  evalu¬ 
ated  for  tt  by  TBE(tt)  =  {V  |  T’^nDefRoies'^)  C  V  c  (V  U  AA,(vr))rDefRo|es/(7r)}.  Wfe  call  the  largest 
policy  state  in  TBEfr),  MaxTBE(7r)  =  (V  U  AA/(vr))|'DefR0ies'(7r)- 

Let  us  once  again  reconsider  the  example  depicted  in  Figure  6.  We  obtain  75  statements  in  V  U  N '(tt). 
Projecting  onto  DefRoles'(7r),  we  obtain  27  statements  in  ( V  U  N\tt))  l'DefRoies'(Tr)-  Because  N'frr) 
contains  no  statements  defining  roles  in  {As,  B.s,  C.s,  X.s},  J\['(tt))  ['DefRoies'(Tr)  defines  only  8  roles: 
{A.r,  B.r,C.r,  X.u,  D.s,  E.s,  F.s,G.s}.  Of  these,  A.r  and  B.r  are  growth  restricted.  Thus,  only  6 
roles  and  4  principals  will  be  used  to  construct  new  statements,  so  the  total  number  of  statements  in 
N'fir)  CDefRoies'(Tr)  would  be  24,  making  the  number  of  policy  statements  in  (V  U  AT'(tt))  ['DefRoies'(Tr)  27. 
This  is  a  significant  reduction  from  the  179  statements  we  would  have  been  required  to  examine  in  the 
original  construction. 

4.2  Analysis  Finite  State  Machine 

Model  checkers  take  as  input  a  finite  state  machine  (FSM)  and  a  property  specification  expressed  as  a 
temporal-logic  formula.  They  then  determine  whether  the  FSM  satisfies  the  formula.  We  use  the  following 
standard  definition  of  an  FSM. 

Definition  22  (FSM)  A  finite  state  machine  is  given  by  the  3 -tuple,  ( S ,  So,  5),  in  which  S  is  a  finite,  non¬ 
empty  set  of  states,  So  C  S  is  a  set  of  initial  states,  and  5  C  S  x  S  is  a  transition  relation. 

(Some  standard  definitions  also  include  a  labeling  function  that  map  states  to  structured  objects,  such 
as  sets  of  propositions,  interpretations,  or  variable  bindings.  We  take  the  alternative  of  making  states  them¬ 
selves  be  structured  objects,  as  we  discuss  below.) 

In  this  section  we  present  two  FSMs  that  can  be  used  solve  RCPIs.  The  first  of  these  can  be  applied  to 
any  RCPI,  tt,  and  is  denote  by  AFSM(7r).  This  FSM  uses  state  transitions  to  perform  the  fixpoint  calculation 
that  compute  role  memberships.  (NuSMV  automatically  analyzes  dependencies  among  role  definitions  and 
essentially  replaces  each  use  of  a  role  in  a  statement  by  an  expression  derived  from  the  definition  of  that  role 
in  the  policy  state,  together  with  the  role  memberships  that  had  been  obtained  in  the  prior  step  of  the  fixpoint 
calculation.)  The  second  FSM  we  present  can  be  applied  safely  only  to  RCPIs  tt  =  {V,lZ,X.u  □  A.r) 
in  which  V  is  non-recursive.  We  denote  this  latter  FSM  by  AFSMOPT(7r).  In  AFSMOPT(7r),  we  simply 
generate  each  policy  state  in  TBE(7r)  and  rely  on  NuSMV  to  compute  role  membership  efficiently  in  a 
single  step.  Because  V  is  non-recursive,  this  first  role  membership  assignment  is  guaranteed  to  be  the 
fixpoint.  Consequently,  AFSMOPT(7r)  need  not  take  a  transition  simulating  an  iteration  of  the  fixpoint 
calculation,  nor  determine  that  the  fixpoint  has  been  reached.  Below  in  Section  5,  we  present  how  these 
abstract  structures  are  expressed  in  the  NuSMV  FSM  specification  language. 
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S  =  TBE(vr)  x  f3  x  {fix,  eval} 

/3  =  ConcreteRoles(MaxTBE(7r))  — >  p(Principals(MaxTBE(7r))), 

(6,  the  set  of  role  membership  functions,  is  the  set  of  functions  from  roles  to 
sets  of  principals.) 

Sq  =  TBE(vr)  x  {770}  x  {eval} 

770(A)  =  0,  for  each  A  G  ConcreteRoles(MaxTBE(7r)) 

(770,  the  initial  role  membership  function,  maps  each  role  to  the  empty  set  of  principals) 
S  =  {((Pi,  77,  eval),  (Vi,  rf ,  eval))  \  rf  =  TVl(rj)  At/  /  77}  U 

{((Pi, 77,  eval),  (Vi,r],fix))  |  77  =  TVl(rj)} 

(When  applying  Tpt  (77)  yeilds  a  new  role  membership  function,  we  keep  evaluating; 
otherwise  a  fixpoint  has  been  reached.) 

Figure  7:  Construction  of  AFSM(7r) 


4.3  General  Case 

The  specification  of  AFSM(7r)  is  given  in  Figure  7  in  terms  of  the  abstract  structures  of  the  form  given  in 
Definition  22.  It  evaluates  the  role  membership  of  each  policy  state  in  TBE(7t)  for  arbitrary  RCPIs  7 r.  Each 
state  of  AFSM(7t)  include  not  only  a  given  policy  state  in  TBE  but  also  a  role  membership  function 
77  <S  /3,  which  maps  each  role  to  a  set  of  principals  in  that  role.  It  also  include  a  flag  that  takes  on  either 
the  value  fix  or  eval ,  which  we  discuss  next.  Because  the  RT  language  allows  cyclic  dependencies  among 
roles,  we  found  it  necessary  to  use  a  sequence  of  state  transitions  to  calculate  the  fixpoint  that  determines 
the  membership  of  each  role.  This  is  accomplished  by  differentiating  between  what  we  call  fixpoint  mode 
(fix)  and  evaluation  mode  (eval).  Mode  eval  signifies  that  the  calculation  of  role  memberships  has  not  yet 
stabilized  to  a  fixpoint,  so  the  query  should  not  be  evaluated  yet;  from  such  a  state,  the  fixpoint  evaluation 
proceeds  with  the  evaluation  process.  Mode  fix  signifies  that  the  fixpoint  has  been  reached  (none  of  the 
role  memberships  change  between  successive  states),  and  that  the  role  membership  function  now  accurately 
reflects  the  membership  of  each  role  in  the  given  policy  state.  The  membership  of  each  role  under  the  given 
policy  is  now  known  and  the  query  can  now  be  evaluated.  The  fact  that  the  query  should  be  evaluated  only 
after  a  fixpoint  has  been  reached  is  encoded  in  the  CTL  formula  that  is  evaluated  with  respect  to  runs  of 
AFSM(7t).  (See  Section  5.) 

Figure  8  illustrates  two  concepts.  First,  observe  that  the  all  the  non-determinism  occurs  in  the  selection 
of  an  initial  state,  which  corresponds  to  the  selection  of  the  policy  in  TBE(7r)  that  is  evaluated.  These  arc 
represented  by  the  policy  states  pictured  as  Vo  . . .  Vn~i  in  which  n  =  |TBE(7r)|.  States  in  eval  model  arc 
represented  by  a  gray  dots.  Transitions  out  of  these  states  represent  steps  in  the  evaluation  of  the  fixpoint. 
Second,  the  states  in  fix  mode  (represented  by  black  dots)  have  no  out  transitions.  These  arc  the  states  in 
which  the  query  is  actually  evaluated. 

4.4  Non-Recursive  Case 

Let  us  now  definite  AFSMOPT (77),  which  is  can  be  safely  applied  only  when  7 r  is  non-recursive,  but  achieves 
significant  savings  in  this  case.  This  construction  is  given  in  Figure  9.  In  this  case,  the  FSM  state  contains 
only  the  element  of  TBE(7r)  to  be  evaluated.  The  role  membership  function  is  calculated  by  the  CTL  formula 
(see  Section  5). 

The  key  difference  between  the  general  and  the  non-recursive  versions  is  that  the  latter  can  define  the 
membership  of  any  role  A  as  a  formula  where  each  dependent  role  B.r  in  the  formula  is  replaced  with  the 
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Figure  8:  Relation  of  policy  states  to  evaluation  states  for  an  RCPI  in  which  |TBE(7r)|  =  6 

5  =  TBE(tt) 

So  =  S 

5  =  0 

Figure  9:  Construction  of  AFSM(7t)  Optimized  for  the  case  in  which  V  is  Non-recursive  where  7 r  = 

(V,U,X.u^A.r) 

definition  of  B.r.  Since  there  are  no  cyclic  dependencies,  the  definition  of  A  can  be  resolved  to  an  expression 
with  a  known  and  finite  number  of  terms,  where  each  of  the  terms  is  a  Boolean  indicating  the  presence  or 
absence  of  a  policy  statement  in  the  current  policy  state.  Thus  for  any  given  role  A  and  principal  C,  C  is  in 
A  if  certain  policy  statements  are  present. 

5  Model  Checking  RT  Policy 

This  section  describes  the  translation  process  that  takes  as  input  an  RCPI  it  and  MaxTBE(7r),  and  builds 
an  SMV  model  and  a  property  specification  (written  in  temporal  logic)  that  expresses  the  policy  analysis 
query.  The  SMV  model  and  specification  are  passed  to  the  SMV  model  checker  and  the  results  of  the 
model  checking  are  returned  to  the  user  in  the  form  of  an  affirmation  or  a  counterexample.  We  describe  two 
translation  processes  to  handle  both  the  general  case  and  the  optimized  non-recursive  case. 

Model  checking  is  an  automated  verification  technique  to  verify  finite  systems,  usually  modeled  as 
FSMs.  Model  checking  exhaustively  explores  the  state  space  based  on  the  transition  relation  of  a  finite 
system  to  determine  if  a  given  property,  usually  expressed  in  temporal  logic,  hold.  Temporal  logic  is  a  spec¬ 
ification  language  for  expressing  properties  related  to  sequences  of  states  in  terms  of  temporal  operators  and 
logic  connectives.  In  the  case  that  a  property  fails  to  hold,  a  model  checker  can  produce  a  counterexample 
consisting  of  a  trace  that  shows  how  the  failure  can  arise,  which  can  be  used  to  correct  the  model  or  the 
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property  specification.  We  choose  to  use  Cadence  SMV  because  it  is  a  general  purpose  model  checker  and 
it  is  a  BDD-based  (symbolic),  highly-optimized  tool  that  can  handle  a  relatively  large  state  space. 

5.1  General  Translation 

Once  we  have  constructed  the  MaxTBE(7r)  for  a  given  RCPI  n  or  an  RCPI  n  created  by  reduction  techniques 
(. e.g .,  decomposition),  we  translate  the  (7 r,  MaxTBE(7r))  pair  into  a  model  and  a  property  specification  in 
SMV’s  input  language.  Translation  consists  of  four  steps,  each  corresponding  to  the  construction  of  one  of 
the  core  components  input  to  the  SMV  model  checker:  data  structure  declaration,  initialization,  transition 
relation,  and  property  specification. 

We  briefly  describe  SMV  by  focusing  on  the  features  that  we  use.  SMV  models  arc  FSMs.  States  arc 
given  by  assignments  of  values  to  state  variables,  which  must  be  of  finite  type.  Variables  arc  declared  at  the 
beginning  of  the  model  definition  using  the  syntax  ( variable )  :  (type)  where  variable  is  an  identifier  that 
refers  to  the  name  of  a  data  structure  and  type  refers  to  one  of  finite  types  such  as  boolean,  an  enumerated 
type,  or  a  range  of  integers. 

The  initial  states  arc  defined  by  using  iriit  statements  of  the  form  init(x)  :=  exp,  which  defines  the 
value  or  set  of  values  x  can  take  on  initially.  Transition  relation  is  represented  by  using  a  collection  of 
next  statements  of  the  form  next(x)  :=  exp,  which  defines  the  value  or  set  of  values  that  x  can  assume 
in  the  following  state  (by  taking  the  transition  in  the  current  state).  Transitions  can  be  non-deterministic; 
SMV  explores  all  possible  combinations  of  such  choices.  In  a  next  statement,  exp  can  refer  to  the  values 
of  variables  in  the  current  state  (e.g.,  x)  or  in  the  next  state  (e.g.,  next(x)).  However,  there  must  not 
be  cyclic  dependencies  among  values  in  the  next  state.  In  particular,  iteration  cannot  be  used  to  define 
the  transition  relation.  (This  becomes  relevant  in  our  context  in  the  evaluation  of  role  memberships  when 
policies  contain  cyclic  dependencies  among  roles.)  On  the  other  hand,  conditional  statements  can  be  used  to 
specify  transitions,  in  the  form  if  ((condition))  {(body  1)}  or  if  ((condition))  {(body  1)}  else  {(body  2)}, 
where  (condition)  is  a  Boolean  expression,  and  (bodyl)  and  ( body  2 )  arc  sets  of  next  statements.  The  next 
state  is  computed  from  the  current  state  by  executing  each  next  statement  (in  an  order  that  respects  the 
dependencies  among  them).  SMV  supports  derived  variables,  which  arc  essentially  macros  that  expand  to 
expressions  over  state  variables.  Derived  variables  arc  defined  by  using  assignment  statements  of  the  form 
x  :=  exp  and  are  not  explicitly  represented  in  any  state.  Instead,  variable  x  is  replaced  by  exp,  which  refers 
to  state  variables. 

The  property  specification  defines  a  Computation  Tree  Logic  (CTL)  formula  to  be  checked  against  the 
SMV  model.  (CTL  is  a  branching-time  temporal  logic).  In  our  work  we  use  the  universal  path  quantifier  and 
temporal  operator  henceforth,  denoted  as  AG(^),  to  express  that  the  property  p  holds  in  every  state  along 
all  paths. 

Comments  are  marked  as  those  lines  that  begin  with  the  double  dash  ( - ). 

5.1.1  Data  Structures 

Data  structures  in  SMV  hold  state  information  of  an  FSM,  which  is  utilized  to  compute  the  next  state. 
Besides  the  simple/generic  data  types,  we  can  also  specify  an  array  using  the  syntax  (variable)  : 
array  (x)..(y)  of  (type)  where  x  and  y  specify  the  range  of  the  array.  A  specific  index  can  be  assigned  or 
referenced  using  the  square  brackets  operator  such  as  (variable)  [z],  where  variable  is  the  name  of  an  array 
and  z  is  a  non- negative  integer.  In  our  translation,  we  only  utilize  Boolean  and  Boolean  array  (bit  vector) 
data  structures. 
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—  ***Policy  Principals*** 
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of 
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—  <0>  D 

Xu 

array 

0 

.3 

of 

boolean ; 

—  boolean  fixpoint 
fixpoint  :  boolean; 

b.  NuSMV  data  structures 

Figure  10:  Data  structure  declaration 


Each  AFSM  declares  three  types  of  variables.  The  first  represents  the  statements  in  MaxTBE(vr),  each 
of  which  is  represented  by  a  unique  index  of  a  bit  vector  named  s.  This  type  of  declaration  would  have  the 
forms  :  array  0..m  of  boolean  where  m  =  jMaxTBE(7r)|  —  1.  Each  policy  state  in  TBE(7t)  (i.e., 
the  set  of  states  to  be  evaluated)  can  be  represented  by  an  assignment  of  bit  vector  s:  the  value  of  a  vector 
element  being  true  indicates  that  the  corresponding  statement  is  present  in  that  state. 

The  second  type  of  state  variable  represents  role  membership.  It  consists  of  one  bit  vector  for  each 
role  A,  in  which  each  principal  is  represented  in  each  vector  by  a  fixed  index.  Thus  for  each  role  A 
in  the  ConcreteRoles  (MaxTBE(7r)),  this  declaration  has  the  form  A  :  array  0 ..n  of  boolean  where 
n  =  |Principals(MaxTBE(7r))|  —  1. 

The  AFSM  uses  a  sequence  of  state  transitions  to  calculate  role  memberships  as  a  means  to  recursively 
evaluate  an  policy  exhibiting  cyclic  dependencies.  The  third  type  of  state  variable  is  a  Boolean  flag  indicating 
whether  the  role  membership  calculation  has  reached  a  fixpoint.  This  requires  a  declaration  of  the  form 
fixpoint  :  boolean ,  where  a  value  of  true  indicates  that  the  fixpoint  has  been  reached  and  false  otherwise. 

Suppose  that  we  were  to  translate  the  (m,  MaxTBE(7r))  from  the  running  example  in  Figure  6.  Figure 
10a  shows  its  27  statements,  8  roles,  and  4  policy  principals,  which  arc  shown  as  SMV  comments.  Figure 
10b  shows  the  result  of  translating  it  into  SMV  data  structures. 

5.1.2  Initial  State 

s  is  a  bit  vector  that  indicates  which  RT  statements  arc  present  in  the  current  policy  state.  The  manner  in 
which  we  initialize  s[i]  depends  on  the  statement  represented  by  index  i.  The  statements  that  define  shrink 
restricted  roles  cannot  be  removed  from  any  policy  state.  Thus,  s [i]  is  initialized  by  the  statement  s[i]  :=  1 
if  statement  i  defines  a  role  in  Sn,  which  means  that  this  statement  is  included  in  any  other  policy  states. 
(The  value  1  represents  true  in  SMV,  indicating  that  statement  i  is  in  the  policy  state.)  This  makes  s[i]  a 
derived  variable  (i.e.,  a  constant),  which  does  not  contribute  to  the  size  of  the  state  space.  On  the  other  hand, 
when  statement  i  does  not  satisfy  these  constraints,  it  is  present  in  some  reachable  policy  states  and  not  in 
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init (fixpoint) 


c .  Fixpoint  mode 


Figure  1 1 :  Initialization 


others.  In  such  a  case,  we  initialize  statement  i  of  the  form  init(s[i ])  :=  {0, 1},  which  nondeterministically 
sets  the  value  of  statement  i  to  true  or  false.  In  this  way,  the  set  of  initial  states  of  the  SMV  model  represent 
all  possible  policy  states  in  TBE(7r).  (Recall  that  each  policy  state  is  a  collection  of  policy  statements.) 

The  bit  vectors  representing  role  membership  are  initialized  to  represent  empty  sets  of  principals.  For 
each  role  A  and  each  principal  indexed  by  j,  we  assign  init(\[j})  :=  0.  Finally,  the  fixpoint  flag  is 
initialized  to  false  by  assigning  init  (fixpoint)  :=  0. 

Figure  1 1  illustrates  how  the  initialization  component  of  our  SMV  model  for  the  running  example  would 
be  expressed.  Observe  that  we  initialize  the  model  to  the  set  of  reachable  policy  states  and  certain  statements 
are  included  as  a  constant  in  every  policy  state.  For  example,  s[2]  corresponds  to  statement  B.r  <—  X.u.s 
in  the  model’s  comment  header,  and  is  included  in  every  reachable  policy  state  because  it  was  in  V  and 
B.r  G  iSp.  Furthermore,  since  we  begin  in  a  non-fixpoint  state,  we  initialize  the  roles  to  the  empty  set  of 
principals  and  assign  false  to  fixpoint. 


5.1.3  Transition  Relation 

We  now  discuss  how  to  implement  the  fixpoint  calculation  of  role  membership  in  SMV’s  input  language. 
We  represent  the  evaluation  of  role  membership  steps,  each  of  which  is  implemented  by  a  set  of  transitions 
updating  the  membership  of  all  the  roles  (and  the  policy  state  remain  fixed).  When  none  of  the  transitions 
change  the  role  membership  in  a  state,  the  fixpoint  has  been  reached,  and  the  flag,  f  ixpoint,  is  updated 
to  true  by  a  transition.  At  this  point,  the  FSM  run  is  complete,  the  FSM  stays  in  this  state  forever,  which 
in  implemented  by  the  next  statement  of  the  form  next(s[i ])  :=  s[i],  and  the  query  is  checked.  The  CTL 
specification  that  checks  query  satisfaction  ignores  states  in  which  the  fixpoint  has  not  yet  been  reached. 

The  detailed  implementation  of  role  membership  calculation  is  described  as  below.  Role  membership  in 
the  next  state  is  calculated  from  role  membership  in  the  current  state  based  on  the  policy  statements  that  arc 
present  in  the  current  policy  state.  For  each  A  G  ConcreteRoles(MaxTBE(7r)),  and  each  principal  (given  by 
some  j  G  [0..|  Principals(MaxTBE(7r))|  —  1]),  an  assignment  of  the  form  next(\[j])  :=  exp  is  introduced. 
The  form  of  expression  exp  depends  on  the  form  of  the  policy  statements  that  define  A.  It  is  a  disjunction 
of  expressions  containing  one  disjunct  for  each  A  <—  e  G  MaxTBE(7r).  The  form  of  this  disjunct  is  given  in 
figure  12  based  on  the  form  of  e,  in  which  i  is  the  index  used  to  represent  this  statement  and  “|”  represents 
disjunction.  The  case  of  linked  roles  hears  some  discussion:  principal  j  is  added  to  A  if  there  is  any  principal 
C  (indexed  by  k  in  the  construction)  such  that  in  the  previous  state  C  is  in  B.r  and  principal  j  is  in  C.s. 

To  maintain  the  fixpoint  flag  correctly,  the  SMV  input  includes  the  statement  next  (fixpoint)  :=  exp 
where  exp  is  the  conjunction  of  expressions  of  the  form  next ( A [ j ] )  =  A[j]  over  all  roles  A  and  all  principals 
j.  If  the  next  state  of  each  role  is  the  same  as  its  current  state,  the  fixpoint  of  role  membership  calculation 
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Statement  Type 

Form 

Translated  Expression 

Simple  Member 

A  <r-  B 

«[*] 

Simple  Inclusion 

A  -t—  B.r 

s[i\  &  Br[j ] 

Linked  Inclusion 

A  <—  B.r.s 

s[i]  &  (e0  •  •  •  \  ek  \  ■ . .  |  em) 

m  =  Principals(MaxTBE(7r))  —  1, 

for  each  k  G  [0..m],  ek  =  (Br[k]  Sz  Cs[j}),  and 

C  is  the  principal  indexed  by  k 

Intersection  Inclusion 

A  <—  B.r  n  C.s 

s[f]  &  Br[j }  &  Cs\j } 

Figure  12:  Construction  of  expressions  for  role  membership  in  the  next  state 


has  been  reached  in  the  current  state. 

Figure  13  illustrates  how  we  would  construct  the  SMV  model  for  our  running  example.  We  constrain 
the  next  policy  state  to  the  current  state  when  flag  fixpoint  is  false  (evaluation  mode).  Note  that  policy 
statement  variable  s[2]  is  not  assigned  any  value  since  it  is  defined  as  a  constant.  Furthermore,  role  A.r  is 
defined  by  the  statements  represented  by  s[0]  and  s[l],  and  these  definitions  arc  combined  using  disjunction. 
In  addition,  role  B.r  is  defined  by  a  linked  inclusion  statement  and  we  express  this  in  SMV  by  considering 
all  of  the  sub-linked  roles  that  could  be  formed  by  the  base-linked  role  X.u.  For  instance,  if  l-u[0]  is  true 
in  some  state  V1,  this  implies  that  D  G  [A'.wfl-p/  and  the  membership  of  D.s  may  influence  the  membership 
of  A.r.  Finally,  flag  f  ixpoint  assumes  the  value  true  only  when  all  of  the  roles  in  the  model  have  reached 
a  fixpoint. 

5.1.4  Property  Specification 

The  role  containment  query,  X.u  □  A.r,  is  represented  as  a  CTL  formula,  AG  (fixpoint  ->  (  (Xu 
|  Ar)  =  Xu)  ) ,  which  asserts  that  in  all  reachable  states,  when  f  ixpoint  is  true  every  member  of  A.r  is 
also  a  member  of  X.u.  The  expression  Xu  |  Ar  performs  bitwise-or  and  implements  union,  defines  that  the 
set  of  principals  in  Ar  must  be  a  subset  of  those  in  Xu. 

5.2  Non-Recursive  Case  Translation 

An  alternative  and  optimized  translation  is  developed  for  policies  without  cyclic  dependencies.  This  trans¬ 
lation  results  in  savings  that  derive  from  two  major  factors.  First,  it  eliminates  the  use  of  intermediate  states 
and  transitions  associated  with  calculating  role  membership.  Second,  we  can  use  derived  variables,  rather 
than  state  variables,  to  express  role  membership.  Adding  the  derived  variables  will  not  increase  the  state 
space. 

The  data  structures  of  the  SMV  model  remain  the  same  as  those  used  in  the  general  translation,  with 
exception  that  there  is  no  fixpoint  valuable  and  all  role  membership  variables  are  derived  valuables  (i.e., 
macros).  However,  the  initialization  process  is  different.  We  still  initialize  the  policy  state  as  before,  but 
the  role  membership  valuables,  which  are  now  derived  valuables,  are  not  initialized.  Instead  we  define 
how  they  are  represented  by  using  policy  statement  variables.  When  we  write  the  specification  in  SMV  as 
AG  ((Xu  |  Ar)  =  Xu) ,  the  derived  valuables  {e.g.,  Xu)  in  the  specification  are  automatically  replaced 
by  their  definitions,  which  refer  to  policy  statement  variables.  In  this  way,  the  specification  will  be  expressed 
solely  in  terms  of  policy  statement  valuables. 
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if (  fixpoint  ) 

{ 

--  stay  in  this  state  forever 
next  ( s  [  0 ] )  : =  s  [  0  ]  ; 

next  ( s  [  1 ] )  : =  s [ 1 ] ; 

next  ( s  [  3 ] )  : =  s  [  3 ]  ; 


next(Ar[0])  :=  Ar[0]; 
next(Ar[l])  :=  Ar [ 1 ] ; 
next(Ar[2])  :=  Ar[2]; 


next ( fixpoint )  :=  fixpoint; 

} 

else 

{ 

—  next  policy  state 
next  ( s  [  0 ] )  : =  s  [  0  ]  ; 

next  ( s  [  1 ] )  : =  s [ 1 ] ; 

next  ( s  [  3 ] )  : =  s  [  3 ]  ; 


—  next  role  state 


next 

( Ar [ 0 ] ) 

=  ( s  [  0  ] 

& 

Br  [0] ) 

(S  [1]  & 

Xu [ 0 ]  & 

Cr  [  0  ]  )  ; 

next 

(Ar [1] ) 

=  (s [0] 

& 

Br  [1] ) 

(s  [1]  & 

Xu [ 1 ]  & 

Cr [1] )  ; 

next 

(Ar [2 ] ) 

=  (s [0] 

& 

Br  [2] ) 

(s  [1]  & 

Xu [ 2 ]  & 

Cr [2 ]  )  ; 

next 

( Ar [ 3 ]  ) 

=  (sic; 

& 

Br  [3] ) 

(s  [1]  & 

Xu [ 3 ]  & 

Cr  [  3  ]  )  ; 

next 

(Br [ 0 ] ) 

=  (S [2] 

& 

(  <Xu[0] 

& 

Ds[0]) 

1  (Xu[l] 

& 

Es  [  0 ] ) 

(Xu  [2  ] 

& 

Fs[0]) 

1  (Xu [ 3 ] 

& 

Gs [ 03  ) ) 

next 

(Br [1 ] ) 

=  (3 | 2] 

& 

( (Xu[0] 

& 

DS[1]) 

1  (Xu[l] 

& 

Es  [1]  ) 

(Xu [2 ] 

& 

Fs[l]) 

1  (Xu [ 3 ] 

& 

C-s  [  -  ]  )  )  ) 

next 

(Br  [2  ]  ) 

=  (s [2] 

& 

( (Xu[0] 

& 

Ds  [ 2 ] ) 

1  (Xu[l] 

& 

Es  [2]  )  | 

(Xu 1 2  J 

& 

Fs  [ 2 ] ) 

1  (Xu [ 3  ] 

& 

Gs[2]  )  )  ) 

next 

(Br  [3]  ) 

=  (s  [2 ] 

& 

(  <xu[0] 

& 

Ds [3]  ) 

1  (Xu[l] 

& 

Es  [  3 ] ) 

(Xu [2] 

& 

Fs [3]  ) 

1  (Xu [ 3  ] 

& 

Gs [ 3 ] )  )  ) 

next 

(Cr [ 0 ] ) 

=  (s [3]  ) 

} 

next 

(Cr [1] ) 

=  (s [4]  ) 

} 

next 

(Cr [2] ) 

=  (s [5]  ) 

} 

next 

(Cr [3] ) 

=  (s  [  6]  ) 

r 

—  next  fixpoint  state 
next ( fixpoint )  :=  (next(Ar[0]) 

(next (Ar [ 1 ] ) 
(next (Ar [ 2 ] ) 


Ar  [  0  ]  )  & 
Ar  [  1  ]  )  & 

Ar  [  2  ]  )  & 


} 


(next(Xu[2])  =  Xu[2])  & 

(next (Xu [3])  =  Xu[3]); 


Figure  13:  Example  of  simulating  role  membership  evaluation 


32 


Ar  [  0  ] 

=  ( s  [  0  ] 

& 

Br [0] ) 

1 

(s  [1  ] 

& 

Xu [ 0 ]  & 

Cr [0]  )  ; 

Ar  [1] 

=  ( s  [  0  ] 

& 

Br [1] ) 

1 

(S  [1  ] 

& 

Xu [ 1 ]  & 

Cr [1]  )  ; 

Ar  [2] 

=  ( s  [  0  ] 

& 

Br [2] ) 

1 

(S  [  1  ] 

& 

Xu [ 2 ]  & 

Cr  [2]  )  ; 

Ar  [3] 

=  ( s  [  0  ] 

& 

Br [3] ) 

1 

(S  [  1  ] 

& 

Xu  [3]  & 

Cr [3]  )  ; 

Br  [  0  ] 

=  (s [2] 

& 

(  (Xu  [  0  ] 

& 

Ds  [0] 

) 

1  (Xu  [  1 

&  Es  [0]  ) 

1 

(Xu [2] 

& 

Fs  [0] 

) 

1  (Xu  [3 

&  Gs  [0] ) 

) ) ; 

Br  [1] 

=  (s [2] 

& 

(  (Xu  [  0  ] 

& 

Ds  [1] 

) 

1  (Xu  [  1 

&  Es  [1] ) 

1 

(Xu  [2  ] 

& 

Fs  [1] 

) 

1  (Xu  [3 

&  Gs  [1] ) 

) ) ; 

Br  [2] 

=  (s [2] 

& 

(  (Xu  [  0  ] 

& 

Ds  [2] 

) 

1  (Xu  [  1 

&  Es  [2] ) 

1 

(Xu [2] 

& 

Fs  [2] 

) 

1  (Xu  [3 

&  Gs  [2] ) 

) ) ; 

Br  [3] 

=  (s [2] 

& 

(  (Xu  [  0  ] 

& 

Ds  [3] 

) 

1  (Xu  [  1 

&  Es  [3] ) 

1 

(Xu [2] 

& 

Fs  [3] 

) 

1  (Xu  [  3 

&  Gs [3] ) 

) ) ; 

Cr  [0] 

=  (s [3] 

) ; 

Cr  [1] 

=  (s [4] 

) ; 

Cr  [2] 

=  (s [5] 

) ; 

Cr  [3] 

=  (s [6] 

) ; 

Figure  14:  Derived  variables 


We  define  derived  variables  by  assigning  a  value  to  a  variable  without  using  init  or  next.  These  assign¬ 
ments  have  the  form  X\j]  :=  exp  where  exp  is  constructed  according  to  Figure  12  in  the  same  manner  as 
presented  in  Section  5.1.3.  Figure  14  presents  the  definitions  of  these  derived  variables  in  the  case  of  our 
running  example. 

5.3  Output 

Once  we  translate  an  RCPI  into  the  SMV  model  and  its  specification,  the  SMV  model  checker  is  utilized  to 
determine  whether  or  not  the  model  satisfies  the  specification.  In  the  case  that  it  does,  SMV  returns  property 
verifies.  In  the  case  that  the  model  fails  to  satisfy  the  specification,  SMV  will  produce  a  counterexample. 
The  counterexample  is  given  by  a  sequence  of  states  that  falsify  the  specification.  It  is  provided  in  the  output 
in  the  form  of  a  list  of  the  relevant  variables  and  their  values.  Variable  s  is  a  bit  vector  that  indicates  which 
RT  statements  arc  present  in  the  current  policy  state.  The  value  of  s[i]  is  true  just  in  case  the  policy  state 
includes  the  statement  indexed  by  i.  The  membership  of  roles  can  also  be  obtained:  X[j]  is  true  when 
principal  j  is  in  the  membership  of  the  role  A. 

The  counterexample  received  from  SMV  in  this  encoding  corresponds  to  V"  in  Theorem  19.  As  dis¬ 
cussed  in  and  below  Proposition  20,  we  can  use  it  to  construct  a  counterexample  V'  to  the  original  RCPI, 
7 r,  by  adding  to  it  the  statements  of  'P\sR-  DefRoies'fTrj-  For  the  purposes  of  presenting  this  counterexample, 
we  propose  using  the  same  policy  visualization  techniques  as  used  throughout  this  paper,  augmented  by 
highlighting  the  roles  to  which  e — the  witness  that  [JCrtJp/  2  [Ar]-p/ — belongs.  This  will  enable  the  user 
to  see  how  e  can  be  added  to  |Ar]-p/  without  being  added  to  [Af.njp/. 

6  Abstraction  for  Semi-Decision  Procedures 

The  sound  and  complete  decision  procedure  given  in  Section  4  constructs  an  AFSM  having  a  number  of 
reachable  states  that  is  double  exponential  in  the  size  of  SigRoles.  As  the  size  of  SigRoles  grows,  the  model 
rapidly  becomes  too  large  to  be  verified  by  a  model  checker.  (In  the  formal  methods  literature,  this  is  often 
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called  the  space  explosion  problem.)  To  alleviate  this  problem,  we  introduce  two  semi-decision  procedures 
that  can  be  applied  to  dramatically  reduce  the  number  of  the  states  that  a  model  checker  must  consider.  These 
techniques  often  yield  problem  instances  for  which  model-checking  is  an  effective  analysis  technique  where 
other  techniques  do  not.  The  price  of  this  effectiveness  is  either  false  negatives  or  false  positives,  depending 
on  the  semi-decision  procedure  uses.  We  provide  one  semi-decision  procedure  for  which  positive  answers 
can  be  trusted  and  one  for  which  negative  answers  can  be  trusted.  Unfortunately,  there  arc  some  problem 
instances  for  which  neither  semi-decision  procedure  produces  an  answer  that  can  be  trusted  (otherwise,  we 
could  construct  an  efficient  full-decision  procedure). 

The  first  abstraction,  called  Principal  Abstraction ,  modifies  the  construction  of  AT '  to  introduce  fewer 
new  principals  than  is  known  to  be  sufficient  to  guarantee  all  counterexamples  arc  found.  In  other  words, 
some  counterexamples  may  be  missed,  leading  to  the  impression  that  the  query  is  satisfied  when  it  is  not 
(false  positives).  This  abstraction  is  introduced  during  the  construction  of  the  AFSM,  making  it  applicable 
only  to  model  checking  and,  perhaps,  similar  techniques  based  on  finite  state  machines.  The  second  abstrac¬ 
tion,  called  Restriction  Relaxation ,  relaxes  the  restriction  rule  7 Z  in  the  sense  that  fewer  roles  are  prevented 
from  having  statements  that  define  them  added  or  removed.  This  has  the  effect  of  making  more  policy  states 
reachable,  although  when  used  in  combination  with  the  other  reductions,  it  typically  increases  only  the  num¬ 
ber  of  different  role  memberships  (semantics)  that  arc  induced,  while  actually  visiting  and  evaluating  fewer 
policy  states.  In  particular,  the  effectiveness  of  the  COI  reduction  (see  Section  3.1)  is  significantly  enhanced 
by  reducing  the  number  of  roles  that  are  growth  restricted. 

The  two  abstractions  arc  complementary  in  nature.  When  the  Principal  Abstraction  produces  a  coun¬ 
terexample,  it  is  known  that  the  query  in  the  RCPI  is  genuinely  not  satisfied.  When  the  Restriction  Relax¬ 
ation  produces  an  affirmative  verification,  it  is  guaranteed  that  the  original  RCPI  is  satisfied.  Though,  these 
techniques  cannot  always  prove  or  refute  the  satisfiability  of  a  given  RCPI,  their  integration  with  model 
checking  enables  security  experts  to  automatically  detect  errors  during  early  policy  design,  which  tends  to 
be  error-prone. 

6.1  Principal  Abstraction 

The  construction  of  the  AT '  introduces  an  exponential  number  of  new  principals.  This  guarantees  that  a  coun¬ 
terexample  produced  by  the  RCPI  exists  if  and  only  if  a  counterexample  can  be  produced  by  the  AFSM.  In 
many  cases  this  number  of  new  principals  may  be  excessive  compared  to  the  actual  number  of  principals 
necessary  to  expose  these  counterexamples.  It  is  often  the  case  that  we  can  expose  counterexamples  with 
far  fewer  new  principals,  which  is  advantageous  since  we  may  not  require  as  many  new  simple  member 
statements  and  thus  significantly  reduce  the  cost  of  analysis.  The  Principal  Abstraction  technique  reduces 
the  number  of  inspected  policy  states  by  using  fewer  new  principals  than  sufficient  to  guarantee  the  reduced 
policy  model  can  be  model  checked.  This  technique  is  valuable  in  the  sense  that  in  the  case  that  a  coun¬ 
terexample  is  detected,  it  is  a  counterexample  to  the  original  RCPI.  The  technique  is  complete  in  the  sense 
that  every  RCPI  that  is  in  fact  satisfied  is  reported  by  the  analysis  to  be  satisfied.  However,  the  techniques 
is  not  sound;  when  the  analysis  reports  that  no  counterexample  is  detected  (i.e.,  an  affirmative  answer  of 
the  query  is  given),  then  we  cannot  be  sure  whether  or  not  the  RCPI  is  satisfied.  The  following  theorem 
states  the  completeness  of  the  technique.  It  does  this  by  stating  that  if  there  is  a  counterexample  that  uses 
some  number  of  new  principals  n,  then  there  is  a  counterexample  that  uses  2^Sl9Roles^7r^  new  principals. 
The  theorem  makes  use  of  a  valiant  of  AT  '(tt)  ,Af"(ir,  n),  the  definition  of  which  is  identical  to  that  of  J\T  ’ 
except  that  NewPrinc(7r)  is  replaced  by  NewPrinc^Tr,  n),  which  is  a  set  of  new  principals,  disjoint  from 
Principals)?5)  U  Principals)^),  and  whose  cardinality  is  n.  Thus,  =  Af  "(n,  2\Sl9Roles('nl\)  up  to 

principal  renaming. 
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Theorem  23  Given  an  RCPI,  n  =  (V,lZ,X.u  □  A.r),  and  a  natural  number  n,  if  there  exists  V  and 
E  G  Principals^')  such  that  E  G  [Ar]p/,  E  0  [X.uJ-p/,  and  and  -P[sTCnDefRoles'(7r)  C  V'  C  (V  U 
AT  "(it,  n))  |'DefR0ieS'(7i-)  th 'ten  there  exists  a  V"  such  that  V  V"  and  there  exists  a  principal  E  such  that 
E  G  [Ar]-p//  and  E  0  \X.u\pn. 

Proof.  Follows  from  theorem  19.  I 

Choosing  an  appropriate  number  of  principals  to  use  can  be  challenging.  Through  our  experience  and 
experimentation,  we  suggest  that  in  many  cases,  the  number  of  new  principals  should  be  proportional  to  the 
number  of  linked  role  expressions.  Recall  that  a  linked  role  expression  has  the  form  B:r\  X2  as  part  of  a 
linked  inclusion  statement,  we  recommend  the  number  of  new  principals  to  be  the  number  of  elements  in 
{ B:r\  .r2  |  A  4—  B.r\  .r-2  G  V)  plus  one.  This  allows  each  linked  role  expression  to  produce  one  new  sub¬ 
linked  role  with  one  new  principal  into  the  policy.  Furthermore,  the  additional  principal  may  serve  as  the 
witness  to  the  counterexample.  In  other  words,  E  would  be  the  witness  in  the  state  V  where  E  G  \A.  rfa' 
and  E  0  [ACitJ-p/.  Thus  given  any  policy  with  the  statement  A  <—  B.r\  .ry,  we  know  that  one  new  sub¬ 
linked  role  for  a  given  linked-role  expression  is  sufficient  because  new  principals  cannot  be  in  Principals(T^) 
and  thus  if  a  linked-role  expression  were  to  have  a  new  sub-linked  role,  it  would  have  to  be  the  case  that 
this  sub-linked  roles  is  not  in  the  restriction  rule.  In  other  words,  one  new  principal  C  G  B.r \  produces 
the  sub-linked  role  C.r 2  which  must  be  unrestricted.  Furthermore,  at  most  one  new  and  unrestricted  sub¬ 
linked  role  is  necessary  since  any  additional  could  not  introduce  any  principal  into  the  membership  of  A 
that  could  not  have  been  introduced  with  a  single  unrestricted  sub-linked  role.  In  other  words,  since  C.r 2  is 
unrestricted,  introducing  D  G  B.r\  to  produce  D.r 2  does  not  contribute  anything  to  A  that  could  not  have 
been  contributed  through  C.r 2.  Thus  we  consider  D  to  be  extraneous  and  serves  only  to  increase  the  cost  of 
analysis.  It  is  significant  to  note  that  while  we  suggest  a  bound  for  the  number  of  new  principals,  it  is  often 
the  case  that  two  or  three  principals  works  sufficiently  well  to  find  many  counterexamples. 

Figure  15  demonstrates  how  Principal  Abstraction  can  be  utilized  to  find  a  counterexamples  by  the  use 
of  three  principals.  The  state  space  is  significantly  smaller  more  than  the  use  of  26  or  64  new  principals, 
which  yield  an  RCPI  that  arc  prohibitive  for  model  checking.  In  this  example,  it  is  necessary  to  add  three 
new  principals  in  order  to  expose  a  counterexample.  When  we  apply  our  technique  and  limit  the  number 
of  new  principals  to  two,  we  see  that  no  counterexample  can  be  detected.  As  we  have  demonstrated  in  this 
example  and  Principal  Abstraction  can  be  an  effective  means  of  identifying  a  counterexample  of  the  original 
policy  by  using  a  dramatically  smaller  policy. 

6.2  Restriction  Relaxation 

Our  second  abstraction  technique  relaxes  the  restriction  rule  by  removing  one  or  more  roles  from  both  Qjz 
and  S-jz-  Recall  that  the  COI  removes  statements  that  define  roles  that  are  not  restricted,  yielding  an  RCPI 
that  is  equivalent  with  respect  to  analysis  results,  but  typically  smaller.  Removing  roles  from  the  restriction 
rule  can  enable  COI  to  make  the  RCPI  smaller  still — potentially  much  smaller. 

Definition  24  Given  an  RCPI  it  =  ( V,IZ,X.u  □  A.r),  and  a  set  of  roles  A4  we  define  RR{tt,M)  = 
(V,  E! ,  X.u  □  A.r)  in  which  7 Z1  =  (Qn  —  M.,Sn  —  M). 

The  following  theorem  says  that  the  abstraction  RR  is  sound. 

Theorem  25  Let  7 r  be  any  RCPI.  A4  be  any  set  of  roles,  and  tt1  =  R R(tt.  A4).  If  C  is  satisfied,  then  it  is 
also  satisfied. 
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Index 

Policy  Statement  of  V 

0 

A.r  <—  B.r\  n  C.r2 

1 

B.r\  F-  Z5.r3.r4 

2 

C.r2  F-  E.r^.r^ 

3 

Ftq  f-  D.r3  Cl  E.r$ 

4 

X.u  F-  F.rQ.r^ 

5 

X:u  F-  Z5.r3 

6 

9f.it  F-  E.r§ 

Qn  =  { A.r ,  B.n ,  C.r2,  P.r6,  X.u} 
Sn  =  {A.r,B.n,C.r2,F.r6,X.u} 


a.  7 r  =  (V,  72,  X.u  □  A.r ) 


New  Principals: 


Pi, 

P2 

New  Model  Statements 

7 

D.r3  F-  Pi 

11 

Pi.r4  F-  Pi 

8 

P>.r3  F-  P2 

12 

Pt-r4  P2 

9 

P.r5  F-  Pi 

13 

P2.r4  F-  Pi 

10 

P.r5  F-  P2 

14 

P2.r4  F-  P2 

b.  MaxTBE(7r)  w/  2  new  principals 


New  Principals: 


Pi,  P2,  P3 

Relevant  Statements 

7 

D.r3  F-  Pi 

10 

P.r5  F-  P2 

15 

Pi.r4  F-  P3 

16 

P2.r4  F-  P3 

c.  Counterexample  of  MaxTBE(7r)  w/  3  new  principals 


Figure  15:  Principal  abstraction  examples 
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Index 

Policy  Statement  of  V 

0 

X.u  4—  B.r 

1 

A.r  4—  B.r 

2 

B.r  4—  C.r  Cl  D.r 

3 

B.r  4—  E.r.s 

Qn  = 

{A.r},  Sjz  =  {X.u,  B.r} 

RCPI  (V,7 Z,X.u  □  A.r) 

S'k  =  {X.u} 

Policy  State  Statement  Indices 

V 

0,  1,2,3 

RR  (T>,  1Z)  0,  1 

Figure  16:  Restriction  relaxation  ( RR )  example 


Proof.  Intuitively,  this  holds  because  any  role  membership  of  X.u  and  A.r  induced  by  a  policy  state  that  is 
reachable  under  tt  will  also  be  induced  by  some  state  reachable  under  tt'  .  Thus  if  all  states  reachable  under 
it'  satisfy  the  query,  then  all  states  reachable  t r  also  satisfy  the  query.  The  result  follows  formally  from  the 
definition  of  reachability.  I 

The  converse  does  not  hold;  when  a  counterexample  exists  for  tt' ,  there  may  not  be  a  counterexample 
for  tt.  Thus,  the  technique  is  not  complete. 

As  discussed  in  the  introduction,  even  if  the  policy-state  space  that  is  reachable  from  V  according  to 
TZ'  is  larger  than  that  reachable  according  to  7Z,  less  computational  effort  is  typically  required  to  solve 
(V' ,  7 Z,  X.u  □  A.r).  This  is  because  while  more  policy  states  arc  theoretically  reachable,  the  COI  reduction 
enables  the  analysis  to  visit  fewer  states  that  are  redundant  in  the  sense  that  another,  often  smaller  state 
induces  the  same  role  memberships. 

The  simple  example  in  Figure  16  illustrates  the  effect  that  Restriction  Relaxation  can  have.  The  given 
n  =  (V,7Z,X.u  □  A.r)  is  clearly  satisfied  because  X.u  and  A.r  are  defined  by  statements  0  and  1, 
respectively,  and  no  others.  None  of  the  pre-processing  reductions  from  Section  3  can  further  reduce  this 
RCPI.  The  largest  policy  state  to  be  evaluated  for  7r,  MaxTBE(7r),  contains  4  significant  roles,  16  new 
principals,  and  approximately  572  new  simple  member  statements.  Such  an  RCPI  usually  can  not  be  model 
checked.  Now  suppose  we  apply  Restriction  Relaxation  by  removing  B.r  from  Qjz  and  Sn  and  furthermore 
apply  COI.  The  resulting  tt'  =  {V' ,7Z' ,  X.u  □  A.r)  would  consist  of  2  statements,  and  the  MaxTBE(vr') 
would  require  only  one  new  principal  and  one  simple  member  statement.  Clearly  the  difference  in  evaluating 
572  statements  verses  3  statements  is  significant. 

Discussion  When  an  RCPI  is  too  large  for  the  sound  and  complete  reductions  presented  in  section  3  to 
enable  satisfaction  to  be  decided,  the  semi-decision  procedures  presented  in  this  section  can  often  decide 
whether  that  particular  instance  is  satisfied.  By  using  Restriction  Relaxation,  many  can  be  determined  to  be 
satisfied.  By  using  Principal  Abstraction,  many  RCPIs  can  be  determined  not  to  be  satisfied.  Thus,  these 
techniques  complement  each  other.  Of  course,  when  the  RCPI  obtained  by  using  Principal  Abstraction 
is  satisfied  and  the  one  obtained  by  using  Restriction  Relaxation  is  not,  the  semi-decision  procedures  are 
unable  to  determine  whether  the  RCPI  is  satisfied. 
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7  RT-SPACE 


This  section  describes  the  policy  analysis  framework,  RT  Security  Policy  Analysis  &  Correction  Environ¬ 
ment  (RT-SPACE)  [28]  and  its  major  components.  We  implement  the  translation  approaches,  all  of  the 
reductions,  and  the  semi-complete  abstraction  techniques.  Additionally,  we  build  a  graphical  user  interface 
to  ease  users  efforts  to  input  RCPIs  and  understand  the  results  of  the  formal  verifications.  RT-SPACE  ont 
only  serves  as  a  proof  of  concept  for  our  theoretical  work,  but  also  provides  us  with  the  means  to  empirically 
evaluate  the  effectiveness  of  these  techniques. 


Figure  17:  Policy  Analysis  Framework  RT-SPACE 


7.1  Tool  Description  &  Usage 

The  RT-SPACE  tool  (figure  17)  consists  of  several  major  components  including  a  graphical  user  interface 
(GUI),  a  visualization  component  which  is  built  on  a  graph  rendering  package  called  Grappa  from  AT&T 
Labs  [3],  a  reduction  component,  a  translation  component,  and  an  interface  component  to  the  Cadence  SMY 
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model  checker.  This  interface  component  includes  a  parser  for  extracting  SMV  results  and  a  pretty  printer 
component  that  assists  in  visualizing  counterexample  results.  The  tool  was  implemented  in  Java  SE  1.5  and 
can  be  used  independently  of  SMV  if  desired,  allowing  it  to  be  fully  portable  since  Grappa  is  a  Java  API. 

The  GUI  provides  the  policy  author  a  means  of  inputting  RCPIs  by  either  loading  them  via  text  files 
or  by  typing  the  policy,  restriction  rule  and  query  directly  into  the  user  interface.  In  either  case,  the  tool 
constructs  a  RDG  from  the  input  RCPI  and  uses  Grappa  to  visualize  the  associated  RDG.  Recall  that  the 
RDG  is  a  data  structure  that  is  used  for  various  purposes  in  each  of  the  major  components  of  the  policy 
analysis  framework.  It  is  useful  not  only  for  analyzing  role-to-role  and  role-to-principal  relationships,  but 
also  for  visually  depicting  these  relationships.  In  addition,  it  is  easy  to  describe  the  sequence  of  roles  that 
permit  a  principal  to  be  a  member  of  a  given  role  using  RDG  and  how  the  policy  may  change. 

The  GUI  seamlessly  integrates  the  textual  description  of  the  policy  and  restriction  rule  with  the  visual 
description  of  the  RDG  by  updating  the  graphic  with  changes  to  the  text.  Figure  18  provides  two  screen 
shots  of  the  tool.  The  first  screen  shot  features  the  policy  from  the  running  example  in  Section  4.  The  tool’s 
interface  is  composed  of  a  text  edit  area  on  the  left  hand  side,  a  visualization  area  on  the  right  hand  side,  and 
a  set  of  buttons  centered  above. 

The  usage  of  this  tool  can  be  described  as  follows.  First,  the  policy  author  writes  or  edits  a  policy  in  the 
text  edit  area  along  with  the  restriction  rule  sets.  The  roles  are  expressed  as  principal .  roleName,  the 
inclusion  operator  is  expressed  as  “< — ”,  and  the  intersection  operator  is  expressed  as  Once  the  policy 
and  restriction  rule  are  provided,  the  user  presses  the  Validate/Reset  Policy  button;  the  tool  constructs  the 
RDG  and  displays  it  on  the  right  hand  side,  as  illustrated  in  Figure  18a.  Next,  the  policy  author  provides  a 
query  by  selecting  the  Query  button  and  entering  a  query  in  a  produced  dialog  box.  For  a  given  RCPI  7 r  = 
(V,  1Z,  X.u  □  A.r),  the  input  query  would  be  X .  u  >>  A .  r,  where  >>  represents  □  .  After  constructing 
the  query,  the  policy  author  may  optionally  perform  the  set  of  applicable  reductions  by  first  selecting  the 
Preprocessing  menu  and  selecting  some  set  of  reductions  as  desired.  Execution  of  the  reductions  begins 
after  selection  of  the  Preprocess  button.  Upon  completion,  the  policy  author  may  optionally  select  some 
set  of  abstractions  9  by  selecting  them  from  the  Translation  menu  and  commence  translation  by  selecting 
the  Translation  button.  After  translation  has  completed,  the  policy  author  may  view  the  SMV  model  and 
specification  before  continuing  with  the  analysis.  When  ready,  the  policy  author  selects  the  Run  Analysis 
button  to  call  SMV.  In  the  case  where  the  model  satisfies  the  specification,  a  verification  message  is  produced 
along  with  the  associated  execution  time.  Otherwise,  the  model  checker  produces  a  counterexample  and 
returns  this  information  to  the  tool,  which  then  constructs  a  RDG  and  displays  it  to  the  policy  author,  as 
illustrated  in  Figure  18b.  The  policy  author  may  then  edit  the  policy  and  restriction  rule  on  the  left  hand  side 
in  pursuing  a  correction. 

7.2  Visualization  Benefits 

Visualizing  the  RDG  is  beneficial  because  it  illustrates  the  relationship  between  roles  in  the  policy,  and  in 
particular  the  relationship  between  the  queried  roles.  It  allows  us  to  ask  some  of  the  following  questions.  Is 
one  role  dependent  on  another  role?  Do  the  DefRoles  of  the  queried  roles  overlap,  and  to  what  extent?  Are 
there  cyclic  dependencies?  Answering  such  questions  is  significant  for  two  reasons.  First  it  may  yield  the 
ability  to  predict  the  answer  to  the  RCPI  based  on  the  structure  of  the  graph  without  exploring  the  state  space. 
Second,  it  may  provide  insight  into  effective  abstraction  parameters.  Furthermore,  it  can  also  illustrate  a 
counterexample  to  the  policy  author  which  assists  in  RCPI  correction.  By  providing  the  counterexample  in 

9  On  the  first  attempt  it  is  often  useful  to  perform  the  translation  and  subsequent  model  checking  without  any  abstractions  in 
order  to  determine  whether  or  not  the  analysis  can  go  through.  In  the  case  that  translation  or  model  checking  takes  too  much  time, 
we  recommend  applying  the  abstractions  as  needed. 
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a.  Input  Policy 


b.  Counterexample 


Figure  18:  RT-SPACE  GUI 
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the  form  of  an  RDG,  the  policy  author  can  visualize  the  subgraph  of  roles  and  policy  statements  that  permit 
or  deny  a  witness  principal  into  the  queried  roles.  In  other  words,  it  allows  the  user  to  focus  on  that  part  of 
the  policy  in  which  the  security  property  failed  to  be  satisfied. 

7.3  Using  Semi-Decision  Procedures 

Now  that  we  understand  how  to  interface  with  the  tool,  let  us  examine  how  we  might  apply  each  of  the 
abstractions  for  semi-decision  procedures  in  more  detail.  Unlike  the  reductions  that  can  be  applied  in  every 
case,  recall  from  Section  6  that  the  semi-decision  procedures  will  be  employed  in  the  case  that  the  model 
checker  cannot  finish  verifying  an  RCPI  in  a  reasonable  time.  Semi-decision  procedures  require  some 
input  based  on  the  user’s  intuitions  as  to  whether  the  given  RCPI  is  satisfied  or  not.  In  the  case  that  the 
user  suspects  the  RCPI  is  satisfied,  the  restriction  relaxations  is  selected;  then  any  satisfied  result  produced 
is  valid.  In  the  case  that  the  user  suspects  the  RCPI  is  not  satisfied,  the  principal  abstraction  is  applied; 
then  any  counterexample  produced  is  valid.  It  is  important  to  note  that  if  the  model  checker  finishes,  then 
it  produces  a  result  indicating  whether  or  not  the  model  satisfies  the  specification.  If  the  model  checker 
produces  a  result  that  says  a  principal  abstracted  model  satisfies  the  specification,  then  we  interpret  this  to 
mean  that  the  result  is  inconclusive.  Likewise,  if  the  model  checker  produces  a  result  that  says  a  restriction 
relaxed  model  produces  a  counterexample  to  the  specification,  then  we  interpret  this  to  mean  that  the  result 
was  again  inconclusive.  Therefore,  between  these  two  complementary  abstractions,  we  may  be  left  with  an 
affirmation,  a  counterexample,  or  an  inconclusive  result. 

The  usage  of  these  abstractions  is  straightforward.  Assuming  we  suspect  that  the  RCPI  is  not  satisfied, 
we  apply  principal  abstraction  with  a  constraint  that  limits  the  analysis  to  consider  some  smaller  number  of 
new  principals  than  being  required.  In  our  experience,  two  principals  is  often  a  good  stalling  point  since  it 
allows  one  principal  to  be  an  independent  witness  and  the  other  to  be  used  as  paid  of  a  sub-linked  role  in 
linked  role  expressions.  If  the  RCPI  result  is  affirmative,  then  we  increment  the  number  of  new  principals 
and  re-evaluate.  At  some  point  the  principal  abstraction  will  become  ineffective  as  the  model  checking  fails 
to  finish  in  a  reasonable  amount  of  time.  We  often  start  with  principal  abstraction  for  a  newly  crafted  policy, 
since  the  policy  is  likely  to  falsify  the  property  (or  to  produce  a  counterexample). 

As  this  confidence  grows,  the  policy  author  may  consider  reverting  to  the  use  of  restriction  relaxation 
in  lieu  of  principal  abstraction.  Choosing  an  appropriate  role  to  relax  can  seem  arbitrary  at  first,  but  we 
suggest  a  few  heuristics  that  may  help.  First,  as  mentioned  in  Section  6.2,  try  to  relax  a  role  that  is  defined 
by  linked  role  and  intersection  inclusion  statements  as  this  may  reduce  the  number  of  significant  roles  and 
thus  the  size  of  the  reachable  state  space  we  need  to  consider.  Second,  try  to  relax  a  role  defined  by  many 
simple  member  statements.  This  reduces  the  number  of  direct  principals  (see  Section  4. 1 . 1)  as  this  may  also 
reduce  the  size  of  the  reachable  state  space.  Finally,  given  an  RDG  of  the  RCPI,  try  to  relax  a  role  with  a 
minimal  number  of  edges  from  the  queried  roles,  and  if  unsuccessful,  attempt  to  relax  roles  progressively 
further  away  from  the  queried  roles. 

8  Empirical  Findings  &  Analysis 

This  section  describes  the  empirical  evaluation  conducted  to  determine  the  effectiveness  of  our  formal  analy¬ 
sis  techniques,  model  checking,  reductions,  and  abstractions.  As  a  theoretical  language,  RT  is  not  currently 
deployed  in  any  operational  access  control  system,  which  makes  selection  of  naturally  occurring  policies 
problematic.  In  their  absence,  we  generate  test  cases  by  fashioning  by-hand  RCPIs  that  display  features  of 
interest,  as  well  as  by  randomly  generating  RCPIs.  We  evaluate  these  RCPIs  with  the  following  goals  in 
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mind.  First,  we  intend  to  demonstrate  that  despite  the  fact  that  the  role-containment  problem  is  EXPTIME 
complete  [36],  our  model  checking  technique  can  in  many  cases  produce  decisive  answers  to  problem  in¬ 
stances  in  a  reasonable  amount  of  time.  Second,  we  intend  to  assess  the  impact  of  our  reduction  techniques 
and  provide  evidence  supporting  our  conjecture  that  these  techniques  turn  a  significant  number  of  RCPIs  into 
manageable  forms.  Finally,  we  intend  to  validate  our  semi-decision  procedures  and  associated  strategies. 

We  begin  by  describing  the  characteristics  of  problem  instances,  which  may  affect  the  performance  and 
effectiveness  of  the  analysis  techniques.  These  features  were  chosen  based  on  our  experience  with  the  role- 
containment  problem,  and  provide  a  framework  for  test  case  selection.  Next  we  present  the  partial  order  in 
which  the  set  of  reductions  is  applied  to  maximize  the  benefit  of  these  techniques.  Then  we  describe  our 
methodology  for  evaluating  these  test  cases.  Finally,  we  conclude  with  an  analysis  of  the  data  and  summary 
of  results. 

8.1  Role  Containment  Problem  Feature  Set 

In  this  section,  we  describe  several  features  of  RCPIs  that  often  influence  the  cost  of  analysis  when  they 
are  present.  Our  intent  is  to  inventory  features  that  affect  cost,  though  we  recognize  our  list  is  inevitably 
incomplete.  In  working  with  the  problem,  we  have  observed  that  RCPIs  exhibiting  these  features  tend  to 
require  greater  computational  resources  than  those  that  do  not.  These  features  include  (1)  the  number  of 
principals  in  the  MaxTBE(7r),  (2)  growth  unrestricted  roles,  (3)  cyclic  dependencies,  (4)  multiply  occurring 
linked  role  names,  (5)  the  number  of  roles  on  which  the  membership  of  both  queried  roles  depend,  and  (6) 
the  number  of  unrestricted  roles  and  their  location  in  the  policy  in  relation  to  the  queried  roles.  This  section 
discusses  each  of  these  characteristics  in  turn. 

Number  of  Principals  in  MaxTBE(7r)  One  characteristic  that  has  a  significant  impact  on  the  cost  of 
analyzing  a  given  RCPI  is  the  number  of  principals  in  the  MaxTBE(7r).  As  the  number  of  principals  in  the 
RCPI  increases,  so  does  the  number  of  sub-linked  roles  and  simple  member  policy  statements  that  we  need 
to  introduce  into  the  MaxTBE(7r).  Specifically,  the  number  of  new  principals  and  direct  principals  influence 
the  size  of  the  reachable  state  space,  in  which  a  direct  principal  is  a  principal  in  {B  |  A  <—  B  £  V}.  Recall 
that  the  number  of  new  principals  is  determined  by  the  number  of  distinct  intersections  and  linked  roles  in 
V.  The  issue  with  direct  principals  is  that  the  analysis  must  consider  states  that  include  all  combinations  of 
simple  member  statements  introducing  these  principals  into  each  growth  unrestricted  role.  Furthermore,  it 
may  also  force  the  consideration  of  many  more  sub-linked  roles  (see  Section  2)  than  the  same  policy  with 
fewer  direct  principals.  Thus  when  the  set  of  direct  principals  is  large,  the  cost  of  analysis  can  be  significant. 

Growth  Unrestricted  Roles  Growth  unrestricted  roles  also  play  a  significant  paid  in  the  cost  of  analysis 
since,  for  each  role  A  0  Qn,  we  need  to  consider  all  subsets  of  simple  member  statements  defining  A. 
When  the  growth  restricted  set  is  small  and  the  principal  count  is  large,  the  computational  effort  required  to 
evaluate  an  RCPI  with  our  techniques  can  be  prohibitive. 

Cyclic  Role  Dependencies  Cyclic  role  dependencies  do  not  influence  the  number  of  reachable  policy 
states,  however  they  can  cause  the  analysis  to  incur  a  significant  cost  in  determining  role  membership.  This 
cost  is  identified  as  an  increase  in  the  AFSM’s  state  space  as  compared  to  a  non-cyclic  policy.  It  is  true 
that  the  cost  of  this  calculation  is  polynomial  in  time  whereas  the  number  of  reachable  states  is  exponential. 
Thus  asymptotically  speaking,  cyclic  role  dependencies  should  not  be  a  dominant  factor  in  the  time  required 
for  analysis.  However,  our  technique  is  sensitive  to  this  cost,  due  to  the  fact  that  the  fixpoint  calculation 
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it  uses  to  compute  role  membership  is  performed  by  the  AFSM  through  a  sequence  of  state  transitions. 
Moreover,  while  relatively  few  AFSM  states  arc  traversed  in  this  process,  the  approach  increases  the  total 
number  of  AFMS  states  by  a  factor  that  is  exponential  in  the  number  of  roles  times  the  number  of  principals. 
In  practice,  these  costs  can  often  mean  the  difference  between  being  able  to  resolve  the  RCPI  and  not. 

Multiply  Occurring  Linked  Role  Names  A  policy  feature  that  can  influence  the  effectiveness  of  our 
efforts  to  reduce  the  size  of  the  MaxTBE(7r)  is  linked  role  names10  that  occur  in  multiple  statements  of  V. 
There  are  at  least  two  cases  involving  linked  role  names  that  tend  to  make  RCPIs  expensive  to  analyze.  The 
first  case  occurs  when  linked  role  names  such  as  r\  are  found  as  paid  of  defined  roles  such  as  in  F.r\  -t— 
e  £  P.  (Apropos  of  the  last  section,  this  may  lead  to  cycles.)  When  this  occurs,  it  ensures  that  F  will  be  a 
principal  of  V ,  even  if  it  is  not  a  direct  principal  of  V  (see  Figure  7)  and  thus  tends  to  increase  the  size  of 
the  MaxTBE(7r). 

The  second  case  that  tends  to  make  RCPIs  expensive  to  analyze  involves  linked  role  names  shared 
among  linked  inclusion  statements,  such  as  r\  in  V  =  {A  B.r:r\ .  p  <—  C.r 2 -?'i }.  In  this  situation,  it 
may  not  be  safe  to  aggressively  apply  principal  abstraction.  Recall  the  example  in  Figure  15  from  Section  6, 
which  describes  a  situation  where  two  principals  arc  not  sufficient  to  expose  the  counterexample.  Analyzing 
a  policy  such  as  this  requires  at  least  three  principals,  two  to  construct  sub-linked  roles  and  one  to  act  as  a 
witness  principal.  Analysis  of  RCPIs  that  exhibit  multiply  occurring  linked  role  names  may  not  be  able  to 
leverage  some  of  the  abstractions  for  semi-decision  procedures  as  much  as  analysis  of  those  RCPIs  that  do 
not. 

Number  of  Roles  on  which  Queried  Roles  Both  Depend  A  feature  that  affects  the  effectiveness  of  the 
COI  reduction  is  the  the  number  of  roles  on  which  both  queried-role  memberships  depend.  When  the  size 
of  the  intersection  DefRoles(T’,  X.u,  S-jz)  Cl  DefRoles(T’,  A.r,  Gtz)  is  small,  the  COI  reduction  is  frequently 
quite  effective;  however  when  the  size  is  large,  it  may  not  be,  and  semi-decision  procedures  will  often  need 
to  be  tried. 

Number  and  Location  of  Unrestricted  Roles  The  number  of  unrestricted  roles  is  another  significant 
feature  due  to  the  potential  for  pruning  the  RCPI  by  applying  the  COI  reduction.  Given  an  RDG  of  the 
RCPI,  the  COI  reduction  is  particularly  effective  when  the  unrestricted  roles  occur  at  a  short  distance  from 
the  queried  roles,  since  the  graph  can  be  truncated  at  those  points.  In  addition,  the  Decompose  reduction 
is  influenced  by  the  number  of  unrestricted  roles  because  it  requires  that  A.r  (and  ideally  the  roles  defining 
A.r )  be  both  growth  and  shrink  restricted  before  it  can  be  applied.  As  mentioned  in  Section  3,  applying 
COI  can  facilitate  applying  Decompose  because  it  can  add  these  roles  to  Gn,  the  set  of  shrink-restricted 
roles.  Thus,  the  interplay  between  growth  and  shrink  restrictions  is  particularly  consequential  in  the  vicinity 
of  the  queried  roles. 

This  may  suggest  that  COI  and  Decompose  arc  complementary  reductions  since  one  relies  on  the 
existence  of  unrestricted  roles  while  the  other  relies  on  fully  restricted  (growth  and  shrink  restricted)  roles. 
Furthermore,  it  may  be  the  case  that  the  most  difficult  problems  arc  those  whose  roles  arc  exclusively  growth 
or  exclusively  shrink  restricted,  in  which  case  neither  COI  nor  Decompose  would  be  applicable. 

10Recall  that  a  linked  role  name  is  simply  a  role  name  in  the  set  {n  |  A  B.r.ri  £  V}. 
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8.2  Ordering  of  Reduction  Application 

The  reductions  described  in  section  3  take  as  input  an  RCPI  and  produce  an  equivalent  set  of  one  or  more 
RCPIs.  It  follows  from  this  fact  that  the  output  of  one  reduction  may  be  the  input  to  another.  We  now 
describe  and  demonstrate  the  partial  order  in  which  these  reductions  should  be  applied. 

The  Decompose  reduction  produces  a  set  of  one  or  more  RCPIs,  each  possibly  with  a  new  role  con¬ 
tainment  query.  It  does  not  remove  any  statements  from  V ,  but  it  may  add  a  single  statement  of  the  form 
A'.r'  e  to  V  if  A.r  <-e£?.  This  reduction  relies  on  the  COI  reduction  to  actually  remove  statements, 
so  COI  should  be  applied  after  Decompose.  Interestingly,  the  COI  reduction  may  also  open  opportunities 
to  apply  Decompose  since  a  side  effect  of  COI  is  the  addition  of  roles  to  the  restriction  rule,  thus  potentially 
creating  a  situation  where  some  role  B.r  G  Giz  Cl  Sr  and  thus  eligible  as  a  decomposition  point. 

The  COI  reduction  removes  any  statement  that  fails  to  define  a  role  in  DefRolesf'P.  X.u,  Roles(P))  U 
DefRoles(P,  A.r,  Roles(P)).  Intuitively,  COI  performs  a  type  of  reachability  analysis  on  the  RDG  and 
removes  any  statement  that  defines  a  role  from  which  a  path  to  the  queried  roles  cannot  be  demonstrated. 
Since  other  reduction  can  remove  statements  and  break  previously  established  paths,  it  is  generally  a  good 
idea  to  repeat  the  COI  reduction  in  the  case  that  a  reduction  successfully  removes  a  statement.  In  other 
words,  the  removal  of  a  statement  may  cause  the  set  of  DefRoles  to  shrink,  yielding  opportunities  to  reapply 
COI. 

The  ERR  removes  all  statements  defining  roles  that  arc  empty  in  all  reachable  states.  Clearly  such  roles 
must  be  growth  restricted,  so  any  reduction  that  modifies  Gji  must  occur  before  ERR.  Both  the  COI  and 
Decompose  add  one  or  more  roles  to  Gr.  and  thus  should  be  applied  before  ERR.  The  other  reductions 
neither  add  statements  to  V  nor  add  roles  to  Gr  and  thus  arc  independent. 

Due  to  the  multiple  dependencies  of  each  reduction,  we  suggest  applying  Decompose,  COI,  and  ERR 
repeatedly  until  a  fixpoint  with  respect  to  the  RCPI  is  reached. 

8.3  Empirical  Evaluation 

Now  that  we  have  examined  some  of  the  features  that  make  policy  analysis  costly,  we  assess  our  policy 
analysis  framework  against  various  sample  RCPIs  that  may  exhibit  one  or  more  of  these  features.  This 
exercise  is  useful  because  it  helps  establish  a  boundary  between  those  RCPIs  that  can  be  analyzed  using 
this  technique  and  those  for  which  the  computational  cost  is  prohibitive.  It  also  helps  us  determine  the 
effectiveness  of  the  reductions.  We  begin  with  a  discussion  on  how  the  test  cases  were  chosen  or  generated, 
followed  by  a  description  of  the  methodology  used  in  evaluating  the  test  cases,  an  analytical  discussion  of 
the  data  and  finally  a  summary  of  the  findings. 

8.3.1  RCPI  Test  Cases  &  Generation 

We  developed  a  collection  of  RCPIs,  each  designed  by  hand  or  assembled  by  a  pseudo-random  RCPI  gener¬ 
ator.  In  the  case  of  manual  creation,  we  designed  policies  that  include  the  policy  features  discussed  above. 
In  an  effort  to  obtain  more  complete  coverage,  we  also  included  several  RCPIs  constructed  automatically  by 
a  RCPI  generator. 

Our  RCPI  generator  is  an  integrated  component  of  our  tool  and  as  such  allows  for  a  seamless  transition 
into  the  analysis  tool.  It  uses  pseudo-randomness  to  produce  test  cases  that  satisfy  constraints  specified 
by  several  input  parameters;  certain  features  such  as  cycles  arc  not  controlled  directly  by  parameters.  The 
random  RCPI  generator  produces  a  single  RCPI  based  on  nine  input  parameters:  (1)  the  number  of  state¬ 
ments,  (2)  number  of  roles,  (3)  number  of  principals,  (4)  number  of  role  names,  (5)  percentage  of  simple 
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inclusion  statements,  (6)  percentage  of  linked  inclusion  statements,  (7)  percentage  of  intersection  inclusion 
statements,  (8)  percentage  of  growth  restricted  roles,  and  (9)  percentage  of  shrink  restricted  roles.  Assuming 
the  constraints  implied  by  these  parameter  values  arc  mutually  consistent  (for  example,  not  asking  for  a  role 
given  no  principals),  the  algorithm  generates  an  RCPI  as  follows.  We  first  construct  a  set  of  roles  and  prin¬ 
cipals.  Principals  have  the  form  Pc*  in  which  i  e  {0..n  —  1}  where  n  is  the  maximum  number  of  principals 
given  by  parameter  3.  Role  names  have  the  form  ry  in  which  j  6  {0..m  —  1}  and  m  is  the  maximum 
number  of  role  names  given  by  parameter  4.  We  construct  a  set  of  roles  by  selecting  principals  and  role 
names  at  random.  Statements  are  then  constructed  at  random  in  proportions  given  by  input  parameters  1,5, 
6,  and  7.  The  sets  of  growth  and  shrink  restricted  roles  are  independently  and  randomly  chosen  according 
to  parameters  8  and  9.  The  query  is  constructed  by  randomly  choosing  two  of  the  roles. 

Cyclic  role  dependencies  arise  randomly  in  the  policy  that  is  generated.  The  user  can  control  the  proba¬ 
bility  of  cycles  occurring  by  controlling  the  relationship  between  the  parameter  values  specifying  the  number 
of  principals,  roles,  and  statements  to  be  generated. 

8.3.2  Methodology 

We  now  describe  the  methodology  used  to  evaluate  policies  in  our  test  cases.  The  purpose  of  the  evalua¬ 
tion  is  to  determine  the  effectiveness  of  our  model  checking  technique,  reductions,  and  two  semi-decision 
procedures.  Effectiveness  is  defined  as  whether  or  not  a  conclusive  answer  to  an  RCPI  can  be  determined. 
Recall  from  Section  4.1  that  the  size  of  the  MaxTBE(7r)  and  corresponding  reachable  state  space  after  a 
reduction  is  applied  may  remain  too  large  for  model  checking  to  produce  an  answer  in  a  reasonable  amount 
of  time.  Also  recall  from  Section  7.3  that  abstractions  may  also  lead  to  inconclusive  results  in  the  sense  that 
validation  of  the  query  is  not  conclusive  when  principal  abstraction  is  used  and  a  counterexample  arising 
under  restriction  relaxation  may  not  be  reachable  under  the  original  restriction  rule. 

We  include  efficiency  data  as  an  interesting  artifact  of  the  evaluation,  but  is  not  a  dominate  concern  due 
to  the  nature  of  model  checking.  Although  it  is  conceivable  that  the  model  checker  would  run  for  several 
hours  and  eventually  produce  an  answer,  we  find  that  in  practice,  if  a  model  checker  does  not  return  with  an 
answer  in  approximately  15  minutes  and  the  memory  usage  has  been  near  capacity  for  several  minutes,  then 
it  is  generally  destined  to  crash  due  to  memory  exhaustion. 

All  test  runs  were  produced  on  a  2.8  GHz  Dual  Core  Pentium  running  Windows  XP  Service  Pack  3. 
This  machine  was  equipped  with  4  GB  of  memory,  although  only  3.5  GB  was  available  for  applications. 
For  a  given  RCPI,  we  record  the  input  characteristics  such  as  the  number  of  each  type  of  statement,  the 
numbers  of  principals,  role  names,  roles,  significant  roles,  and  number  of  growth  unrestricted  roles,  as  well 
as  whether  cycles  are  present  in  the  policy.  The  output  from  the  tool  indicates  the  time  to  perform  reductions 
as  well  as  the  translation  time.  In  the  case  that  the  model  checker  produces  an  answer,  SMV  provides  the 
model  checking  time,  the  number  of  BDD  nodes  used,  and  the  number  of  reachable  states.  The  number  of 
BDD  nodes  demonstrates  the  relative  memory  usage  between  evaluations  of  the  same  RCPI  with  various 
reductions  and  abstractions.  It  is  also  significant  to  note  that  we  enabled  the  BDD  variable  sifting  option 
within  SMV  in  order  to  better  manage  the  size  of  the  BDD  nodes.  This  option  uses  heuristics  to  re-order 
BDD  variables  for  the  purpose  of  collapsing  the  structure  into  a  smaller  representation.  It  expends  CPU 
time  to  reduce  memory  usage,  which  is  the  limiting  factor  in  our  application;  the  salient  question  is  whether 
the  model  checker  can  complete  at  all,  rather  than  how  long  it  takes.  Thus,  all  of  our  experiments  were 
performed  with  this  option  selected. 
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8.3.3  Observations  &  Analysis 

We  now  present  the  data  from  our  evaluations.  We  evaluated  14  sample  policies,  7  of  which  were  presented 
in  previous  chapters  as  examples,  and  2  of  which  were  randomly  generated.  The  results  of  these  experiments 
can  be  found  in  Tables  1  and  2.  Each  test  case  consists  of  an  RCPI  it  =  (' P ,  TZ.  X.u  □  A.r ),  and  several 
line  items  associated  with  it.  The  first  line  for  each  test  case  indicates  the  results  of  running  the  analyzer 
with  none  of  our  reduction  or  abstraction  techniques  applied.  The  following  lines  indicate  results  when 
reductions  are  performed.  Recall  that  the  set  of  reductions  is  repeatedly  applied  until  a  fixpoint  is  reached. 
Furthermore,  when  Decompose  is  successful,  it  yields  a  collection  of  RCPIs.  Each  of  these  occupies  a 
separate  line  in  the  table,  indicated  by  the  label  Red/'  (reduction),  in  which  the  i  ranges  between  1  and  the 
number  of  subproblems  generated  by  Decompose.  The  label  NC  is  included  when  the  non-cyclic  translation 
was  used.  When  reductions  alone  failed  to  enable  the  model  checker  to  provide  an  answer,  abstractions  for 
semi-decision  procedures  were  then  employed,  and  the  tables  contain  additional  lines,  which  are  labeled  RR 
when  restriction  relaxation  was  used  and  PAn  when  principal  abstraction  was  used  with  n  new  principals  in 
lieu  of  the  full  number  sufficient  to  guarantee  any  existing  counterexamples  would  be  found. 

In  addition  to  the  columns  that  present  characteristics  of  the  RCPI  identified  in  the  previous  section,  the 
tables  contain  two  others.  The  column  labeled  Result  contains  CE  when  a  counterexample  was  found  and 
SAT  when  the  query  was  shown  to  be  satisfied.  It  is  empty  if  the  model  checker  was  unable  to  terminate 
normally  and  provide  an  answer.  This  occurred  in  many  cases  due  to  memory  exhaustion,  other  model- 
checker  resource  constraints  arc  exceeded,  or  an  unhandled  exception.  The  column  labeled  Correct  contains 
crash  when  the  model  checker  failed  to  provide  an  answer.  It  contains  yes  when  the  model  checker  returned 
the  correct  answer  for  the  (sub)RCPI  in  question.  It  contains  no  when  the  answer  found  is  incorrect,  which 
reflects  that  an  abstraction  technique  was  used  too  aggressively. 

We  begin  by  making  several  general  observations  regarding  this  data.  First,  most  of  the  baseline  initial 
RCPI  for  the  test  cases  was  too  large  to  evaluate  using  our  general  translation  without  any  reductions  or 
abstractions.  On  one  hand,  this  was  intentional  since  we  desire  to  show  how  our  reductions  and  abstractions 
allow  an  otherwise  expensive  RCPI  to  be  evaluated,  but  on  the  other  hand,  many  of  these  initial  RCPI  do 
not  consist  of  a  large  set  of  policy  statements.  This  reflects  the  difficulty  of  evaluating  the  role  containment 
problem  in  general,  even  in  small  cases.  Second,  when  abstractions  are  not  used,  our  reductions  and  trans¬ 
lation  always  produced  the  correct  answer  and  in  most  cases  required  an  acceptable  amount  of  time.  Recall 
that  reductions  are  performed  in  polynomial  time.  On  the  other  hand,  translation  can  require  creating  an 
MaxTBE(7r)  that  has  size  exponential  in  that  of  the  original  RCPI,  and  hence  can  require  exponential  time. 
Observe  that  some  test  cases  exhibited  reduction  or  translation  times  that  seem  to  be  zero;  this  is  due  to 
coarse  resolution  of  the  clock.  Finally,  the  model  checker  was  generally  either  able  to  provide  an  answer 
within  2  minutes  or  it  eventually  crashed. 

Fet  us  now  examine  a  few  specific  test  cases.  In  the  first  test  case,  we  see  that  as  few  as  4  significant  roles, 
coupled  with  a  relatively  large  number  of  growth  unrestricted  roles,  can  produce  a  very  large  MaxTBE(7r), 
despite  that  the  number  of  policy  statements  is  not  large.  The  cost  of  generating  the  MaxTBE(7t)  is  reflected 
in  the  time  required  for  its  translation.  Unsurprisingly,  we  are  unable  to  answer  this  RCPI.  However,  the 
reductions  produced  two  sub-problems,  each  of  could  be  handled  quickly  by  the  model  checker.  This  im¬ 
provement  conforms  with  our  observation  that  COI  is  most  effective  when  the  sets  of  roles  on  which  the 
queried  roles  depend  have  a  relatively  small  intersection,  which  is  true  in  this  case. 

The  second  test  case,  borrowed  from  Fi  et  al.  [21],  is  known  to  be  satisfied  and  it  exhibits  a  cycle.  Upon 
application  of  the  reductions,  we  see  that  the  problem  is  decomposed  into  a  non-cyclic  sub-problem  and  a 
cyclic  sub-problem.  The  latter  caused  SMV  to  crash,  so  we  turned  to  the  abstraction  of  restriction  relaxation. 
By  removing  SA.delegated Access  from  the  set  of  growth  restricted  roles,  we  were  able  to  use  restriction 
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Analysis  -  #  #  Role  #  #  Sig  %  Inter  a/c  0/ _  Cyclic  #AFSM  #  Policy  Translation 


Table  1 :  Evaluation  data  1 
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-  Sub-RCPI  #n  generated  from  applying  reductions  COI,  Decompostion,  ERR,  and  WFR;  NR  -  Non-Recursive  version  of  translation;  PAn  -  Principal  Abstraction  with  n  principals;  RR  -  Restriction  Relaxation 


Analysis  u  _ „  _  . _  #Role„_.  #  Sig  %  Inter  0/  _  0/ c  Cyclic  #  AFSM  #  Policy 


Table  2:  Evaluation  data  2 
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Redn  -  Sub-RCPI  #n  generated  from  applying  reductions  COI,  Decompostton,  ERR,  and  WFR;  NR  -  Non-Recursive  version  of  translation;  PAn  -  Principal  Abstraction  with  n  principals;  RR  -  Restriction  Relaxation 


relaxation  to  show  that  the  RCPI  is  satisfied.  Once  S A.delegated Access  was  made  growth  unrestricted,  the 
reductions  had  the  effect  of  breaking  the  cyclic  dependence,  permitting  the  non-recursive  case  translation 
to  be  used.  This  suggests  a  general  strategy  regarding  which  roles  to  consider  first  for  possible  restriction 
relaxation. 

The  third  test  case  demonstrates  how  a  difficult  RCPI  can  be  decomposed  into  multiple  sub-problems, 
each  of  which  can  be  evaluated  independently.  The  original  problem  required  the  creation  of  an  MaxTBE(7r) 
that  was  so  large  that  the  translation  process  failed  to  terminate.  Once  the  reductions  were  applied,  the  five 
sub-problems  were  small  enough  to  be  evaluated.  Four  of  the  five  sub-problems  yielded  counterexamples, 
though  the  last  sub-problem  was  satisfied.  Thus,  the  initial  RCPI  was  falsified,  since  there  were  falsified  sub¬ 
problems.  Another  interesting  aspect  of  this  problem  is  that  despite  the  fact  that  the  reachable  state  space 
of  the  last  sub-problem  is  quite  large,  the  model  checker  was  still  able  to  verify  that  case.  This  supports  our 
hypothesis  that  using  symbolic  model  checking  is  a  useful  approach  to  the  policy  analysis  problem. 

Regarding  limitations  of  our  approach,  the  fourth  test  case  demonstrates  that  our  reductions  are  not  al¬ 
ways  effective  at  significantly  reducing  the  size  of  the  problem  that  the  model  checker  must  solve.  The 
twelfth  test  case  illustrates  the  fact  that  applying  principal  abstraction  too  aggressively  can  produce  incor¬ 
rect  results.  As  discussed  in  Section  6.1,  when  the  set  of  new  principals  is  constrained  to  two  elements,  the 
analysis  incorrectly  indicates  that  the  query  is  satisfied.  However  when  the  set  of  new  principals  is  enlarged 
to  contain  three  principals,  a  counterexample  is  detected.  Recall  that  this  RCPI  also  exhibits  multiply  occur¬ 
ring  linked  role  names,  which  was  identified  above  as  a  characteristic  that  tends  to  indicate  analysis  will  be 
more  costly. 

Without  principal  abstraction,  the  twelfth  RCPI  generates  an  AFSM  that  is  much  larger  than  the  model 
checker  can  handle.  While  paid  of  this  is  due  to  the  number  of  growth  unrestricted  roles,  the  dominant 
factor  seems  to  be  the  number  of  significant  roles.  Test  cases  10  and  12  both  contain  6  significant  roles  with 
approximately  24200  to  24550  policy  states,  respectively,  (and  many  more  AFSM  states),  and  require  76  to  99 
seconds  to  translate.  On  the  other  hand,  test  case  3  exhibits  7  significant  roles  and  could  not  be  translated, 
due  to  excessive  size.  This  suggests  that  6  is  an  upper  bound  on  the  number  of  significant  roles  that  can  be 
handled  by  our  approach. 

The  question  of  where  the  boundary  lies  between  those  RCPI  that  can  be  analyzed  and  those  that  cannot 
is  more  complex  since  the  size  of  the  state  space  is  not  always  directly  correlated  with  the  ability  to  obtain 
a  definitive  answer  from  SMV.  The  upper  bound  on  size  of  the  state  space  that  SMV  can  handle  depends 
heavily  on  the  number  and  ordering  of  BDD  variables.  Though  it  is  clear  that  the  larger  the  state  space,  the 
less  probable  that  SMV  will  reach  a  conclusion,  these  metrics  do  not  yield  a  sharp  cut  off  point. 

The  thirteenth  test  case  demonstrates  how  restriction  relaxation  can  be  usefully  applied  to  an  RCPI  even 
when  the  model  checker  discovers  a  counterexample.  Recall  that  when  no  counterexample  is  found  after 
restriction  relaxation  is  performed,  we  arc  guaranteed  that  the  original  RCPI  also  has  no  counterexample. 
However,  when  a  counterexample  is  found,  if  it  is  a  policy  that  contains  no  new  statements  for  roles  that 
arc  growth  restricted  in  the  original  RCPI,  it  constitutes  a  counterexample  to  the  original  RCPI  as  well.  In 
the  case  of  test  case  thirteen,  the  model  checker  produced  counterexamples  from  three  of  the  decomposed 
sub-problems  that  were  also  counterexamples  to  the  original  RCPI.  We  manually  examined  each  of  the  three 
counterexample  in  the  context  of  the  original  RCPI  to  determine  that  they  corresponded  to  counterexamples 
in  it  as  well. 

The  remaining  test  cases  exhibit  characteristics  similar  to  those  already  discussed.  They  tend  to  support 
the  hypothesis  that  our  model  checking  approach  can  be  effective,  and  that  the  reductions  and  abstractions 
we  have  introduced  significantly  enlarge  the  set  of  RCPIs  for  which  this  is  so.  It  should  be  noted  that  while 
the  test  cases  we  present  demonstrate  effectiveness,  there  arc  many  RCPIs  that  our  approach  is  unable  to 
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solve.  Unfortunately,  such  cases  arc  commonplace.  This  is  to  be  expected,  given  the  high  complexity  of  the 
role  containment  problem.  In  large  measure,  our  goal  is  to  discover  the  limits  of  automated  policy  analysis 
in  practice  and  to  this  end  we  next  discuss  our  observations  regarding  the  policy  features  that  influence  the 
difficulty  of  evaluating  an  RCPI. 

The  results  of  these  experiments  and  our  other  experience  working  with  the  role  containment  problem 
tend  to  support  the  importance  of  certain  characteristics  in  determining  whether  our  techniques  arc  effective. 
To  summarize,  our  reductions  are  most  effective  in  limiting  the  size  of  the  MaxTBE(7r)  when  the  queried 
roles  do  not  depend  on  a  large  number  of  growth  or  shrink  restricted  roles  in  the  original  RCPI.  In  particular, 
it  is  very  advantageous  if  the  number  of  such  roles  on  which  both  queried  roles  depend  is  small.  Our 
techniques  arc  less  successful  when  these  role  sets  arc  large  and  have  cyclic  dependencies.  Our  experience 
is  that  it  is  quite  difficult  to  effectively  apply  restriction  relaxation  when  cycles  appeal-  in  this  part  of  the 
policy.  Furthermore  when  these  roles  are  defined  by  a  large  number  of  simple  member  statements,  the 
resource  requirements  to  analyze  the  RCPI  can  be  impractical  to  meet.  Principal  abstraction  only  serves 
to  limit  the  number  of  new  principals.  So  when  the  original  RCPI  contains  a  large  number  of  principals, 
this  can  result  in  an  excessively  large  number  of  simple  member  statements  in  the  MaxTBE(7r).  True,  this 
problem  is  mitigated  when  a  large  collection  of  principals  occupy  the  same  set  of  roles,  since,  as  we  have 
shown  in  Section  2,  in  this  case  all  but  one  representative  of  such  a  collection  can  be  eliminated.  However, 
when  principals  are  added  to  many  different  sets  of  roles,  the  number  of  representative  principals  can  still 
be  very  large. 

9  Related  Work 

This  section  describes  related  work  on  verifying  security  properties  of  trust  management  and  access  control 
systems.  In  many  cases  a  particular  related  work  evaluates  a  verification  technique  for  a  specific  security 
property  and/or  specific  access  control  system.  We  compare  the  strengths  and  limitations  of  each  related 
work  against  our  framework.  In  addition,  we  examine  the  applicability  of  each  work  to  our  problem. 

9.1  Comparison  Criteria 

We  analytically  compare  our  framework  to  related  verification  techniques  within  two  categories.  The  first 
category  includes  verification  techniques  related  to  trust  management  systems,  which  includes  the  RT  and 
SPKI/SDSI  policy  languages.  These  languages  support  delegation  of  permission  and  delegation  of  authority 
in  a  decentralized  environment,  and  as  such  the  associated  verification  techniques  are  highly  relevant.  The 
second  category  includes  verification  techniques  related  to  centralized  access  control  systems.  The  majority 
of  verification  work  is  associated  with  role-based  access  control  (RBAC)  systems,  some  with  delegation  and 
administrative  extensions.  It  is  significant  to  note  that  in  centralized  systems,  the  security  of  the  system 
depends  primarily  on  the  actions  of  security  administrators  rather  than  stakeholders.  This  often  leads  to  a 
different  type  of  analysis  than  found  in  trust  management,  although  it  is  plausible  to  extend  this  type  of  trust 
management  analysis  to  RBAC  systems.  It  is  not  clear  whether  current  verification  techniques  can  be  applied 
to  our  trust  management  analysis.  Furthermore,  to  the  best  of  our  knowledge,  none  of  approaches  in  these 
two  categories  provides  intensive  automated  reduction  and  abstraction  techniques  to  reduce  the  computation 
cost  of  formal  analysis  of  access  control  models. 

The  comparison  criteria  includes  the  following.  First,  we  compare  theoretical  upper  and  lower  bounds 
of  each  technique  against  our  own.  Second,  we  compare  the  implementations  of  their  technique  and  coun¬ 
terexample  generation.  Finally,  we  compare  usage  processes  for  verifying  and  analyzing  security  policies 
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even  in  the  cases  where  the  verification  is  intractable. 


9.2  Trust  Management  Verification  Techniques 

Li  et  al.  [21]  originally  propose  security  analysis  of  RT  within  the  context  of  Datalog.  They  establish 
theoretical  upper  and  lower  bounds  for  each  of  the  policy  classes  in  the  RT  family  with  respect  to  simple 
and  bounded  safety,  availability,  and  role  containment  properties.  For  example,  each  of  these  property 
categories  can  be  evaluated  in  polynomial  time,  with  exception  to  role  containment.  The  complexity  of 
role  containment  analysis  is  determined  by  the  class  of  the  policy  in  question.  For  RT[  ],  the  analysis  is  in 
polynomial  time,  whereas  is  PSPACE-complete  and  i?T[n]  is  co-NP.  The  final  class,  RT[«~,  n]  was 

demonstrated  to  be  co-NEXPTIME.  While  Datalog  semantics  were  useful  to  illustrate  and  prove  many  of 
these  complexity  bounds,  the  associated  algorithms  presented  in  their  paper  provide  no  evidence  as  to  how 
or  why  a  policy  may  fail  to  satisfy  a  particular  property. 

Sistla  and  Zhou  [36]  also  provide  a  framework  for  reasoning  about  security  analysis  of  RT  policies.  Of 
significant  value  is  their  proof  of  a  tight  upper  and  lower  bound  EXPTIME  complexity  for  role  containment 
queries  in  the  n]  class.  They  accomplish  this  by  transforming  the  analysis  into  a  language  contain¬ 

ment  problem  for  unbounded  systems.  This  involves  an  algorithm  that  searches  through  every  sequence  of 
every  principal-to-role  assignment  for  those  sequences  that  arc  consistent  with  the  growth  restrictions.  If 
all  of  the  consistent  sequences  satisfy  the  role  containment  property,  then  the  algorithm  claims  the  policy 
satisfies  the  property.  When  a  role  containment  p  □  A  is  not  satisfied  in  all  reachable  policies,  it  is  not  clear 
that  Sistla’s  method  could  be  made  to  find  such  a  policy;  the  technique  only  reports  that  one  exists.  The 
reason  that  it  is  able  to  improve  on  the  complexity  bound  of  the  approach  we  use  is  precisely  that  it  does 
not  actually  introduce  new  principals,  which  makes  counterexample  generation  difficult.  While  beneficial 
for  establishing  a  theoretical  bound,  we  view  this  as  a  a  serious  limitation  for  a  practical  technique.  Our 
principle  goal  is  to  provide  meaningful  feedback  to  the  analysis  tool  user. 

Jha  and  Reps  [17]  verify  such  properties  as  authorization,  availability,  and  shared  access  of  the 
SPKI/SDSI  policy  language  through  the  use  of  push  down  systems  and  specialized  algorithms.  Push  down 
systems  can  be  used  to  represent  language  containment  problems  for  unbounded  systems.  This  approach  is 
considered  a  type  of  model  checking  and  has  been  shown  to  run  in  many  cases  in  time  polynomial  to  the 
size  of  the  certificate  set.  SPKI/SDSI  can  be  viewed  as  a  subset  of  RT,  specifically  the  policy  class 
This  implies  that  Jha’s  approach  does  not  support  intersection  inclusion  statements.  In  addition,  the  type  of 
analysis  examined  in  this  work  assumes  that  all  principals  issuing  delegation  credentials  arc  trusted,  which 
is  not  the  type  of  security  analysis  we  examine.  No  mention  was  made  regarding  reduction  or  abstraction 
techniques,  which  arc  significant  in  many  cases  because  otherwise  the  problem  may  not  be  checkable.  It  is 
doubtful  that  our  techniques  would  be  immediately  applicable  since  they  depend  on  a  restriction  rule  which 
is  not  part  of  this  work. 

Our  techniques  are  applicable  to  security  analysis  of  Simple  Distributed  Security  Infrastructure 
(SDSI)  [30],  as  SDSI  policies  can  be  translated  into  RT  policies  almost  trivially.  We  conjecture  that  our 
techniques  may  also  be  applicable  to  the  analysis  of  other  policy  languages,  such  as  Cassandra  [4],  that  arc 
founded  on  variants  of  Datalog.  However,  this  question  remains  open. 

9.3  Other  Access  Control  Verification  Techniques 

Fisler  et  al.  [10]  analyze  the  impact  of  policy  changes  on  RBAC  systems  using  their  own  model  checking 
tool  called  Margrave  implemented  in  Scheme.  Such  policies  are  represented  as  multi-terminal  BDD’s  for 
efficient  storage  and  manipulation.  Their  work  focuses  on  the  process  of  validating  a  policy  change  before 
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committing  it,  which  is  applicable  to  security  administrators.  They  verify  separation  of  duty  properties 
and  their  tool  produces  counterexamples  when  a  property  is  not  satisfied.  While  they  do  not  provide  any 
theoretical  bounds  on  performance,  they  provide  a  concrete  example  with  associated  performance  metrics. 

Schaad  et  al.  [34]  also  verify  separation  of  duty  properties  in  the  context  of  a  work  flow  process  utilizing 
an  RBAC  system.  The  goal  of  this  work  is  to  identify  a  sequence  of  delegations  and  revocations  that  may 
place  a  principal  into  two  or  more  roles  that  would  be  characterized  as  unsafe.  While  their  version  of 
RBAC  supports  delegation  and  revocation  of  permissions,  it  does  not  support  delegation  of  authority  as 
seen  in  modern  trust  management  languages.  The  authors  propose  the  use  of  NuSMV,  which  is  a  model 
checking  tool  in  the  SMV  family  and  supports  features  such  as  bounded  model  checking  and  simulation  of 
the  reachable  state  space.  However,  it  is  unclear  as  to  the  computational  complexity  of  their  approach  or 
how  they  might  reduce  or  abstract  the  problem  to  address  the  state-explosion  problem. 

Hansen  et  al.  [13]  utilize  model  checker  SPIN  to  verify  various  static  and  dynamic  separation  of  duty 
properties  in  RBAC.  Their  approach  does  not  support  any  form  of  delegation,  and  the  authors  do  not  provide 
a  theoretical  performance  bound. 

Koch  et  al.  [18]  reason  about  RBAC  through  a  graph-based  formalism.  In  their  graph,  nodes  repre¬ 
sent  users,  roles,  sessions  and  permissions,  while  edges  represent  associations  between  the  nodes.  Graph 
transformation  rules  allow  users,  roles  and  permissions  to  be  added  or  removed,  as  well  as  activating  or 
deactivating  sessions.  Graphical  constraints  arc  used  to  specify  consistency  properties,  often  represented 
as  graph  of  a  forbidden  structure  of  nodes  and  edges.  The  authors  develop  techniques  for  proving  the  cor¬ 
rectness  dynamic  separation  of  duty  specifications  using  this  formalism.  The  contribution  of  this  work  is  a 
framework  for  comparing  different  access  control  models  and  analyzing  the  effect  of  combining  multiple 
policies.  Some  of  the  advantages  of  this  approach  include  intuitive  visualization  of  the  RBAC  policy  as  well 
as  the  application  of  graph  theory.  While  we  utilize  graphs  for  visualization  and  analysis,  there  are  several 
reasons  why  this  approach  does  not  address  our  needs.  First,  it  is  unclear  how  to  extend  the  formalism  to 
represent  delegation  of  authority  or  rights.  Furthermore,  it  does  not  support  role  intersection  as  an  operation 
in  their  framework.  Second,  the  analysis  is  not  automated,  although  certain  graph  transformations  arc. 

Stoller  et  al.  [33,  38,  39]  study  the  complexity  of  problems  related  to  ours,  but  in  the  context  of  RBAC. 
They  investigate  user-role  reachability  analysis  in  their  parameterized  administrative  role  access  control 
(ARBAC)  system.  User-role  reachability  asks  whether  some  set  of  administrators  could  modify  the  RBAC 
policy  so  that  a  target  user  becomes  a  member  of  a  specified  role.  One  can  use  such  queries  to  verify  safety 
and  availability  properties.  Depending  on  the  expressive  power  of  administrative  policy,  the  complexity  of 
the  user-role  reachability  problem  ranges  from  polynomial  time  to  PSPACE-complete.  Using  a  symbolic 
state  graph,  they  are  able  to  produce  a  path  by  which  the  a  target  user  be  made  a  member  of  the  given  role. 

Jha  et  al.  [16]  reason  about  classes  of  security  analysis  problems  related  to  RBAC  and  identify  the  com¬ 
putational  complexity  of  such  problems  as  PSPACE-complete.  By  exploring  the  factors  that  influence  the 
complexity  of  a  given  problem,  they  were  able  to  identify  sub-categories  of  problems  that  can  be  decided  in 
polynomial  time.  In  addition  to  their  theoretical  results,  they  experimented  with  formal  techniques  includ¬ 
ing  symbolic  model  checking  and  logic  programming.  In  more  than  half  of  their  experiments,  preprocessing 
techniques  were  necessary  in  order  to  scope  the  problem  to  a  size  that  could  be  evaluated.  The  type  of 
research  in  this  work  on  RBAC  is  the  most  similar  to  our  research  of  practical  security  analysis  of  RT. 

Zhang  et  al.  [40,  41,  42]  provide  a  model  checking  algorithm  for  evaluating  access  control  systems  and 
present  the  computational  complexity  of  the  algorithm.  This  approach  can  be  used  to  detect,  in  an  access 
control  policy,  errors  caused  by  the  interactions  of  policy  rules  and  coalitions  among  multiple  agents.  Our 
goal  is  different  from  theirs  in  that  we  intend  to  check  if  a  set  of  principals  (e.g.  users  or  subsystems)  can 
access  the  resources  no  matter  how  policy  evolves  in  a  decentralized  environment,  in  which  authorities  can 
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be  delegated. 

Other  work  [9,  11,  12,  26,  35]  also  supports  the  use  of  formal  techniques  and  tools  to  verify  properties 
of  security  policies,  however  none  significantly  address  practical  concerns  such  as  usability,  performance, 
and  scalability.  Furthermore,  it  is  unclear  as  to  how  we  might  use  these  techniques  to  address  role  contain¬ 
ment  in  a  delegation  language  such  as  RT.  Our  techniques  presented  in  this  paper  can  be  used  for  certain 
security  analysis  problems  within  the  context  of  ARBAC.  As  shown  by  Li  and  Tripunitara  [22],  two  security 
analysis  problems  arising  in  ARBAC  can  be  reduced  to  security  analysis  problems  involving  RT,  namely  the 
Assignment  And  Trusted  Users  (AATU)  problem  and  the  Assignment  And  Revocation  (AAR)  problem. 

10  Conclusion 

Crafting  and  validating  decentralized  access  control  policies  that  reflect  the  author’s  intention  is  a  difficult 
task  for  stakeholders.  They  require  automated  means  of  reasoning  about  the  protection  of  their  resources  as 
the  complexity  and  intractability  of  policies  make  manual  approaches  unreasonable  or  impossible.  Ideally, 
the  techniques  and  tools  can  also  provide  information  on  why  and  how  their  policies  fail  to  meet  their 
expectations. 

Our  contribution  meets  these  requirements  by  basing  our  automated  security  analysis  approach  on  model 
checking.  We  develop  a  collection  of  reduction  techniques  and  semi-decision  procedures.  Such  techniques 
and  procedures  may  be  able  to  reduce  problem  instances  into  a  form  that  can  be  automatically  verified. 
Furthermore,  we  include  proofs  demonstrating  correctness  of  our  techniques  and  an  empirical  evaluation  of 
our  techniques  showing  the  effectiveness  and  performance  of  our  approach.  Our  findings  show  that  many 
RT  policy  analysis  instances  can  be  effectively  verified  using  the  methodology  of  associating  reductions 
with  model  checking  technique. 


Appendix 

This  appendix  contains  proofs  of  the  theorems  in  the  body  of  the  paper. 

Theorem  9  (Section  3.1)  Given  any  RCPI  ( V ,  7 2,  X.u  □  A.r),  COI  ( ( V ,  72.  X.u  □  A.r))  is  satisfied  if  and 
only  if  ( V ,  72.  X.u  □  A.r)  is  satisfied. 

We  prove  the  soundness  of  COI  in  three  parts  corresponding  to  the  following  three  lemmas.  The  first 
lemma  provides  a  proof  of  soundness  for  the  definition  of  V'  as  per  (1).  The  second  lemma  provides  a  proof 
of  soundness  for  the  definition  of  Qf  as  per  (3),  and  finally  the  third  lemma  provides  a  proof  of  soundness 
for  the  definition  of  S'n  as  per  (4). 

Lemma  26  Given  any  RCPI  (' P,IZ,X.u  □  A.r ),  (V',lZ,X.u  □  A.r)  is  satisfied  if  and  only  if 
( P ,  72,  X.u  □  A.r)  is  satisfied,  where  V'  is  defined  by  (1). 

Proof.  We  prove  entailment  in  both  directions.  In  the  “only  if”  part,  let  V'"  be  reachable  from  V'  under  72 
and  let  E  satisfy  E  0  \X.u\pn,  A  E  €  \A.r\pm.  Let  V"  =  V"'  U  V  [s^. 

We  show  V"  is  reachable  from  V  under  72.  Consider  any  A  e  £  V  —  V" .  We  know  that  A  0  Sr 
because  V\sK  C  V" ,  so  removing  A  4—  e  is  permitted  by  72.  Now  consider  any  A  <-  c  £  V"  —  V.  By 
construction  of  V"  it  must  be  that  A  •(—  e  6  V"' ,  which  is  reachable  from  V' .  Since  V'  C  V ,  it  follows  that 
A  <—  e  £  V"  —  V,  which  implies  that  A  0  Q'n.  Since  Qn  C  A  e  can  be  added  to  V ,  as  required. 
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Next  we  show  E  0  \X.v\-pn  and  E  G  [Ar]p».  The  latter  follows  easily  from  E  G  [Ar]p/«  and 
from  V'"  C  V",  which  tells  us  that  [Ar]p/«  C  [Ar]p».  We  show  E  0  [A.-u]p»  by  proving  that  for  all 
roles  B.r'  G  DefRoles(P,  X.u,  Sn),  [B.r'Jp"  C  [B.r'Jpm,  For  this  we  use  induction  on  i  to  show  that  if 
D  G  Tp/G^B./],  then  B>  G  TpnfiifB  ,r'\,  for  some  j  G  N.  The  base  case  is  trivial.  For  the  step,  consider 
any  D  G  Tp//t*+1  [-B.r7]  and  fix  the  statement  B.r'  4—  e  that  is  used  to  introduce  D  G  Tp//t*+1  [B.r']. 
There  arc  four  cases  based  on  the  structure  of  e. 

Case  1 :  e  =  D.  Because  B.r'  G  DefRoles(P,  X.u,  Sn),  it  follows  that  B.r'  gDg  V .  If  B.r'  G  Sn, 
then  B.r'  4-  D  G  V"  by  definition  of  reachability.  If  not,  then  B.r'  4—  I)  G  V"  follows  by  construction 
of  V" .  In  either  case  we  have  D  G  Tpw^jB.r']. 

Case  2:  e  =  C.ri.  We  obtain  B.r'  4—  C.ri  G  V"  as  we  did  B.r'  4—  D  G  V"  in  the  first  case.  It 
follows  that  D  G  Tp//f*  [C.ri].  We  show  that  there  is  a  j  for  which  D  G  T-pm [C.ri].  By  definition 
of  Def Roles,  B.r'  G  DefRoles(P,  X.u,  Sn)  implies  either  C'.ri  0  Bp  or  C'.ri  £  DefRoles(P,  X.u,  Bp). 
When  C.ri  G  DefRolesf'P.  X.u.  Bp),  we  obtain  D  G  [C'.ri]  from  the  induction  assumption.  When 

C.r\  ^  DefRoles(P,  X.u,  Sn),  it  follows  that  there  is  no  statement  defining  C'.ri  in  V .  Thus  it  must  be 
that  C'.ri  0  Gn  and  that  C'.ri  4 —  D  €  V”  —  V.  (Recall  that  by  Theorem  4  we  can  assume  without  loss 
of  generality  that  V"  —  V  consists  of  simple  member  statements.)  Since  C.ri  0  Bp,  it  follows  from  the 
construction  of  V"  that  C.ri  4 —  D  €  V" .  Therefore  I)  G  Tp/z/f1  [C.ri].  We  now  obtain  D  G  T-pm t-7"1-1 
[B.r'],  as  required. 

The  cases  in  which  e  =  C.ri.r2  and  e  =  C.ri  n  F.r 2  are  similar  to  the  second  case  above,  thus 
completing  the  “only  if”  paid  of  the  proof.  In  the  “if”  paid  of  the  proof,  we  use  a  variant  of  DefRoles  that 
includes  roles  in  A4  as  well  as  roles  used  in  their  definitions. 

Definition  27  Let  A  and  Jvt  be  sets  of  roles,  and  V  be  a  policy.  We  define  DefRoles  1  (V.  p,  JA)  to  be  the 
least  set  of  roles  O  satisfying  the  following  conditions: 

•  peO 

•  (AGO  A  AgM  A  Ag  B.r  1  G?)d>  B.ri  G  O 

•  (AgO  A  A  G  AA.  A  A  4 —  B.r  1X2  GPAfiG  Principal  s(V))  =>  (B.ri  GO  A  D.r  2  G  O) 

•  (Ago  A  AgM  A  Ag  B.ri  Fl  C.r2  G?)d>  (B.n  GOA  C.r2  G  O) 

Let  V"  be  reachable  from  V  and  let  E  satisfy  E  ^  \X.v\pn  A  E  G  [Ar]p».  It  is  convenient  in  this 
case  to  construct  V  from  V"  which  is  also  reachable  from  V  and  satisfies  E  0  [AAu].^  A  E  G  [Ar].p. 

Let  V0  =  {F.r"  4-  D  \  F.r"  G  DefRoles+(P,  A.r,  Gn)  ~  Gn  A  D  G  \F.r\v„}. 

Let  V  =  (V"  -  V"  \DefR0ies+{p,x.u,sK)-(SKL!DefRo\es(p,A.r,gK))  UPo-  It  can  be  shown  by  induction  that 
for  all  B.r'  G  DefRoles(P,  X.u,  Bp),  [B.r']^  C  [B.r']p»  and  that  for  all  B.r'  G  DefRoles [V ,  A.r,Gn), 
[B.r'J-jg  =  [B.r'Jp".  It  follows  from  this  that  E  0  [AT.'uJp  A  E  G  [Ar]^. 

Now  we  construct  V'" ,  reachable  from  V' ,  by  V'"  =  V  \M({v,n,x.uiiA.r ))  U  To,  in  which 

M((V,TZ,X.u  □  A.r))  =  DefRoles(P,  X.u,  Sn)  U  DefRoles (V,  A.r,Gn)-  It  can  be  shown  that  V'"  is 

reachable  from  V' .  It  can  now  be  shown  that  [B.r']p/«  C  [C.r']p  for  all  B.r'  defined  in  V'" .  From  this  we 
get  E  <£  lX.ujn'". 

To  show  that  E  G  [Ar]p/«,  one  can  use  induction  on  i  to  show  that  for  all  roles  B.r'  G 
X.u  □  A.r)),  if  D  G  T^\l\B.r’\  then  there  is  a  j  G  N  such  that  D  G  7p,"tJI[B.r/].  I 

Lemma  28  Given  any  RCPI  (V,  1Z,  X.u  □  A.r),  (V,TZ',X.u  □  A.r)  is  satisfied  if  and  only  if 
(V,  TZ,  X.u  □  A.r)  is  satisfied,  where  V  =  (G'n,Sn)  and  G'n  is  defined  by  (3). 
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Proof. 

Recall  from  (3)  that  Q R  =  Qn  U  T,  where  T  =  DefRoles(P,  X.u,  Roles(F’))  — 
DefRoles^,  Ar,  Roles^)).  We  assume  without  loss  of  generality  the  reachable  state  V'  is  a  subset  of 
V  along  with  simple  member  statements  defining  roles  in  V.  The  if  part  is  trivial  because  any  V"  that  is 
reachable  from  V  under  7 Z!  is  also  reachable  from  V  under  TZ.  So  if  V"  shows  (V.  'JZ' .  X.u  □  Ar)  is  not 
satisfied,  it  also  shows  (V,  TZ ,  X.u  □  A.r)  is  not  satisfied. 

For  the  only  if  part,  assume  V'  is  reachable  from  V  under  7 Z  and  that  E  G  [Ar]p/  and  E  fL  [AVu]p/. 
Construct  V"  =  V  —  {  B.r  G-  e  G  V  —  V  B.r  G  F}.  This  removes  all  the  statements  the  addition  of 
which  to  V'  would  violate  Q'R  .  Thus  V"  is  reachable  from  V  under  TZ' . 

It  remains  to  be  shown  that  E  G  [Ar]p»  and  E  fL  j[AA?;|p//.  The  former  can  be  shown  by  a 
simple  induction  on  i  by  proving  that  for  all  C'.ri  G  DefRoles^,  A.r.  Roles^)),  and  for  all  princi¬ 
pals  D,  if  D  G  Tp/  f*  [C'.ri],  then  D  G  Tpn  Y1  [C'.ri].  The  step  goes  through  easily  because 
P'  |DefRoles(P,Ar,Roles(P))  =  P"  fDefRoles(P,Ar,Roles(7>)) •  To  show  E  fL  \X.u\pn  We  USe  proof  by 
contradiction  and  show  that  if  E  G  [AAuJp//  then  E  G  {X.ifipu  We  prove  by  induction  that  for  all 
C'.ri  G  DefRoles^,  X.u.,  Roles(7:’))  and  all  principals  D,  if  D  G  T-pnY\C.r\\,  then  D  G  [C.ri]. 

Again,  the  step  goes  through  easily  because  V"  tDefRoies(P,x.«,Roies(P))  Q  'P'  befRoies(p,x.n,Roies(p))- 


Lemma  29  Given  any  RCPI  (V,1Z,X.u  □  A.r),  (V,1 Z',X.u  □  A.r)  is  satisfied  if  and  only  if 
( P ,  7 Z,  X.u  □  A.r)  is  satisfied,  where  TZ'  =  (Gn-  SR)  and  SR  is  defined  by  (4). 

Proof. 

Recall  from  (4)  that  SR  =  Sn  U  S,  where  X  =  DefRoles(T>,  A.r,  Roles('P))  — 
DefRoles(T’,  X.u,  Ro\es(V)).  We  assume  without  loss  of  generality  the  reachable  state  V'  is  a  subset  of 
V  along  with  simple  member  statements  defining  roles  in  V.  The  if  paid  is  trivial  because  any  V"  that  is 
reachable  from  V  under  TZ'  is  also  reachable  from  V  under  TZ.  So  if  V"  shows  (V.  TZ' ,  X.u  □  A.r)  is  not 
satisfied,  it  also  shows  ( V ,  TZ,  X.u  □  A.r)  is  not  satisfied. 

For  the  only  if  part,  assume  V'  is  reachable  from  V  under  TZ  and  that  E  G  [Ar]p/  and  E  0  [AVuJp/. 
Construct  V"  =  V'  LJ  {B.r  <—  e  G  V  —  V  \  B.r  G  X}.  This  adds  all  the  statements  the  removal  of  which 
from  V  would  violate  Sfi .  Thus  V"  is  reachable  from  V  under  TZ' . 

It  remains  to  be  shown  that  E  G  f  Ar]p»  and  E  f  [AVuJp//.  The  former  can  be  shown  by  a  simple 
induction  on  i  by  proving  that  for  all  C'.ri  £  DefRoles^,  A.r ,  Roles^)),  and  for  all  principals  D,  if  D  G 
Tp'Y  [C'.ri],  then  D  G  Tp»tw  [C'.ri],  The  step  goes  through  easily  because  V  tDefRoiesCP,Ar,Roies(P))^ 
V"  tDefRoiesfPA.r,RoiesfP))-  To  show  E  fL  \X.v\-p"  we  use  proof  by  contradiction  and  show  that  if  E  G 
\X.ui\-pn  then  E  G  [A.-uJp/.  We  prove  by  induction  that  for  all  C'.ri  £  DefRoles(T’,  X.u,  Roles(T’))  and 
all  principals  D,  if  D  G  Tp//f*[C.ri],  then  D  G  Tp/f^ [C'.ri].  Again,  the  step  goes  through  easily  because 

P"  rDefRoles(r,,.Y.tt,Roles(G’))  =  P'  rDefRolesfP,A:.u,RolesCP))- 


Lemma  30  Given  a  policy  V,  restriction  rule  TZ  and  B.r  G  Roles('P),  \B  ■r\uii(-p:R)  =  0  if  and  only  if  for 
every  V  such  that  V  Ap  V  satisfies  [S.rjp/  =  0. 

Proof.  Follows  immediately  from  Proposition  3.6  [21],  I 

Theorem  11  (Section  3.2)  Let  V  be  any  policy  and  TZ  be  any  restriction  rule.  (1)  For  all  V'  such  that 
P  ^TZ  P'  and  P'  —  P  contains  type  1  statements  only,  there  exists  V"  such  that  ERR(V ,  TZ)  t— V",  V"  — 
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ERRfP ,  72)  contains  type  1  statements  only,  and  for  all  B.r  £  Roles(7:,/)uRoles(7:,//),  [B.r]p/  =  [B.r]p//. 
Conversely,  it  is  also  the  case  that  (2)  for  all  V"  such  that  ERRfP  ,P)  A-p.  V"  and  V"  —  ERRfP, P) 
contains  type  1  statements  only,  then  there  exists  V'  such  that  V  Ap  V ,  V'  —  V  contains  type  1  statements 
only,  and  for  all  B.r  £  Roles]"?7),  [B.r]p/  =  [B.r]p//. 

Proof.  There  are  2  parts,  each  of  which  requires  showing  set  inclusion  in  2  directions. 

Part  1  Under  paid  (1),  we  let  V"  =  { ERR(V ,  72)  -  (V  -  V'))  U  (V  -  V). 

Part  la  We  show  that  [B.r]p/  C  The  proof  uses  induction  on  i  to  show  that  for  all  principals 

D,  D  £  Tp/f1  [ B.r ]  implies  D  £  Tp//  [B.r].  Consider  the  statement  B.r  £-  e  used  to  introduce 
D  £  Tp/f*[B.r].  Observe  that  V'  =  (V  —  V)  U  (V  —  (V  —  V)).  When  the  statement  is  in  V'  —  V ,  it 
follows  that  it  is  in  V"  by  construction,  and  so  D  £  Tp"  [B.r]  follows  from  the  induction  hypothesis. 
Consider  the  case  in  which  the  statement  is  in  V  —  (V  —  V).  Since  I)  £  Tpf'fB.r}  and  Tp*  f '  is  monotonic 
in  i,  each  role  B' .r'  in  e  is  nonempty  when  evaluated  under  V' .  So  Lemma  30  tells  us  that  [B.rJ^p  p)  is 
also  nonempty.  It  follows  from  the  definition  of  ERRfP ,  72)  that  B.r  •(—  e  is  in  ERR( V,  72),  and  the  result 
again  follows  from  the  induction  hypothesis. 

Part  lb  We  show  that  [B.r]p»  C  \B.r\v,.  The  proof  uses  induction  on  i  to  show  that  for  all  principals 
D,  D  £  Tp// f*  [B.r]  implies  D  £  Tp/ [B.r].  Consider  the  statement  B.r  <—  e  used  to  introduce 
D  £  Tpaf^B ,r\.  By  construction,  such  a  statement  must  either  be  in  ERR(V,  72)  —  (V  —  V)  or  V'  —  V. 
When  the  statement  is  in  V' — V,  it  follows  that  it  is  in  V' ,  and  so  D  £  Tvr  [B.r]  follows  from  the  induction 
hypothesis.  When  the  statement  is  in  ERRfP ,  72)  —  (V  —  V'),  then  it  must  also  be  in  V  —  (V  —  V),  since 
ERRfP,  72)  C  V.  Observe  that  V  —  (V  —  V)  =  V  Cl  V' .  It  follows  that  the  B.r  e  is  in  V' ,  so  it  again 
follows  that  D  £  Tp/t^jB.r]  by  using  the  induction  hypothesis. 

Part  2  Under  part  (2),  we  let  V  =  {V  -  (. ERR(V ,  72)  -  V"))  U  (V"  -  ERR(V ,  72)). 

Part  2a  We  show  that  [B.  r]p/  C  [B.r]p//.  The  proof  uses  induction  on  i  to  show  that  for  all  principals  D, 
D  £  Tp/t*[B.r]  implies  D  £  TpnfJJ\B:r\.  Consider  the  statement  B.r  4—  e  used  to  introduce  D  £  Tpif 
[B.r].  By  construction,  such  a  statement  must  either  be  in  V  —  (ERR( V,  72)  —  V")  or  V"  —  ERR( V,  72). 
When  the  statement  is  in  V"  —  ERR(V,1Z),  it  follows  that  it  is  in  V",  and  so  D  £  Tp»t^[B.r]  follows 
from  the  induction  hypothesis.  Now  consider  the  case  in  which 

B.r  <—  e  £  V  —  (. ERR(V ,  72)  -  V")  (5) 

Next  we  show  that  B.r  <—  e  £  ERR(V ,72).  This  holds  because  if  B.r  f-  e  ^  ERR(V,  72)  then  some 
B'.r'  appealing  in  e  satisfies  Tp/  t^B'.r']  =  0,  which  violates  our  assumption  that  B.r  •(—  e  is  used  to 
introduce  D  £  Tp/f*[B.r].  Now  since  ERR( V,  72)  C  V ,  we  can  rewrite  (5)  to  B.r  4—  e  €  ERR(V,  72)  — 
(ERR(  V,  72)  —  V”).  This  is  is  equivalent  to  B.r  4—  e  €  ERRfP,  72)  Cl  V" ,  which  gives  us  B.r  4—  e  €  V". 
From  this  D  £  Tp/zf^jB.r]  now  follows  from  the  induction  hypothesis. 

Part  2b  We  show  that  [B.r]p«  C  [B.r]p/.  The  proof  uses  induction  on  i  to  show  that  for  all  principals 
D,  D  £  Tpnf1  [B.r]  implies  D  £  Tpi  [B.r].  Consider  the  statement  B.r  4—  e  used  to  introduce 
D  £  Tp"fllB.r}.  Observe  that  V”  =  (ERRfP,  72)  —  (V  —  V'))  U  (V'  —  V).  When  the  statement  is  in 
V  —  V ,  it  follows  that  it  is  in  V ,  and  so  D  £  Tvr  [B.r]  follows  from  the  induction  hypothesis.  Consider 
the  case  in  which  the  statement  is  in  ERRfP,  72)  —  fP  —  P').  It  must  also  be  in  V  —  fP  —  P'),  since 
ERRfP ,  72)  C  P.  Observe  that  P  —  fP  —  P')  =  P  D  Pf  It  follows  that  the  B.r  e  is  in  Pf  so  it  again 
follows  that  D  £  Tpr\B.r\  by  using  the  induction  hypothesis.  I 


Theorem  13  (Section  3.3)  Given  an  RCPI  fP,P,X.u  □  A.r),  if  A.r  £  Qp  Cl  Sp,  then  P  satisfies 
X.u  □  A.r  under  72  if  and  only  if  P'  satisfies  X.u  □  p  under  P'  for  each  fPfPfX.u  □  p)  £ 
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Decompose(V ,TZ,  X.u  □  A.r). 

Proof.  We  prove  entailment  in  both  directions.  We  begin  by  showing  the  “only  if’  paid,  which  we  do  by 
showing  its  contrapositive.  That  is,  we  assume  there  is  a  {V',7 Z',X.u  □  p)  G  J)econipose('P .  1Z,  X.u  □ 
A.r)  such  that  in  some  state  V"  reachable  from  V  under  7 Z',  there  is  a  principal  E  such  that  E  G  [p]p», 
but  E  0  [X.wjp//.  Using  this  assumption,  we  show  V  does  not  satisfy  X.u  □  Ar  under  1Z.  There  are  now 
four  cases  given  by  the  type  of  statement  A.r  <-a£f  that  is  used  to  construct  (V1 .  1Z' ,  X.u  □  p ). 

Case  1:  a  is  a  principal.  In  this  case  p  =  A.r '  and  \p\p"  =  {E}.  Given  the  relationship  between 
7Z  and  7Z',  it  is  not  hard  to  see  that  V'"  =  ( V "  —  {A’ .r'  4—  E})  is  reachable  from  V  under  7Z.  By  the 
construction  in  Decompose  in  this  case,  A.r  4—  E  G  V.  Since  A.r  G  Sp,  it  follows  that  Ar  4—  E  G  V" 
and  thus  E  G  [Ar]p/«.  Because  E  0  \X.v\pn,  it  follows  by  the  monotonic  nature  of  the  semantics  that 
E  0  \X.v\pm,  completing  the  proof  in  this  case. 

Case  2:  a  is  a  role.  In  this  case  p  =  a  and  E  G  \p\v"  f°r  some  V"  reachable  from  V  under  7Z. 
By  the  construction  in  Decompose,  in  this  case  E  G  [Ar]p»  since  A.r  4—  a  G  V"  because,  as  above, 
A.r  4 -aG?  and  A.r  G  Sp. 

Case  3:  cr  is  a  linked  role  of  the  form  77.ri.r2.  In  this  case  p  =  A'.r'  and  E  G  [p]p».  Given  the 
relationship  between  7 Z  and  1Z' ,  it  is  not  hard  to  see  that  V'"  =  (V"  —  {A' .r'  4—  77.ri.r2})  is  reachable  from 
V  under  7 Z.  By  the  construction  in  Decompose,  A'.r'  4—  a  is  the  only  statement  defining  A' s'  in  V" .  Thus 
there  exist  some  C  G  [77.ri]p/»  such  that  E  G  [C'.r2]p  /// .  We  also  have  A.r  4—  77.ri.r2  G  V"  because 
A.r  is  shrink  restricted  so  E  G  [Ar]p/».  Because  E  0  {AVuJp's  it  follows  by  the  monotonic  nature  of  the 
semantics  that  E  0  [W  u]p/»,  completing  the  proof  in  this  case. 

Case  4:  a  is  the  intersection  of  two  roles  B.r\  and  C.r2-  In  this  case  p  =  A’ .r’  and  E  G  [pjp".  Given 
the  relationship  between  7 Z  and  1Z' ,  it  is  not  hard  to  see  that  V"  =  (A'— {  A'.r'  4—  7?.rinC,.r2})  is  reachable 
from  V  under  1Z.  By  the  construction  in  Decompose,  A1  .r'  4—  a  is  the  only  statement  defining  A'.r'  in  V" . 
Thus  it  must  be  the  case  that  E  G  \B.r\\pn,  n  [C'.r2|^>/«.  We  also  have  A.r  4-  B.r\  n  C'.r2  G  V"  because 
A.r  is  shrink  restricted  so  E  G  [Arjpw.  Because  E  0  \X.v\-pn,  it  follows  by  the  monotonic  nature  of  the 
semantics  that  E  0  \X.v\-pm,  completing  the  proof  in  this  the  last  case. 

Now  we  show  that  entailment  holds  in  the  other  direction,  again  by  showing  the  contrapositive.  We 
assume  V"  is  reachable  from  V  under  7 Z  and  there  exists  some  principal  E  such  that  E  G  [ A .  rjp" 
and  E  0  [X.wjp//.  Using  this  assumption,  we  show  there  exists  at  least  one  {V',7 Z',X.u  □  p)  G 
Decompose{ V,  1Z,  X.u  □  A.r)  where  V'  does  not  satisfy  X.u  □  p  under  7 Z' . 

Because  E  G  [Ar]p//  it  must  be  the  case  that  E  G  Tpn  [Ar],  which  means  that  (at  least)  one  of 
the  disjuncts  in  Definition  1  of  Tp»( n)  must  hold  when  ir  is  taken  to  be  Tpn  A ■  Recall  that  Tpn  A  = 
Tv„  {Tpn  A)-  Thus  we  have  four  cases,  one  for  each  disjunct. 

Case  1:  E  G  Tp//A[Ar]  is  generated  by  A.r  4—  E  G  V" .  Since  A.r  G  Qp  it  follows  that  A.r  4—  E  G 
V.  Thus  there  exists  {V ,  1Z' ,  X.u  □  A.r')  G  Decompose) V,  1Z,  X.u  □  A.r)  in  which  V'  —  V  U  {A.r'  4— 
E}  and  7 Z'  =  (Qp  U  {A.r'} .  S-p  U  {A.r'}).  Since  V"  is  reachable  from  V  under  7 Z,  it  is  easy  to  check 
that  V'"  =  V"  U  A.r'  4—  77  is  reachable  from  V  under  1Z',  and  that  [A.r']p/»  =  {77}.  A  simple  induction 
on  i  shows  that  for  all  principals  B\  and  7?2,  and  for  all  role  names  r3,  such  that  B±  /  A'  and  r3  /  r', 
772  G  Tp//t'[7?i.r3]  if  and  only  if  772  G  Tpn^^Bi.r^.  From  this  we  get  77  0  [A.-uJp///  as  required. 

Case  2:  D  G  Tpn  A  |[Ar]  is  generated  by  A.r  4—  B.r\  G  V"  A  77  G  Tpn  A  [77.ri],  In  this  case  we 
have  77  G  \B.r\\pn  and  77  0  \X .u\pn.  By  hypothesis  V"  is  reachable  from  V  under  7 Z.  Furthermore, 
by  construction,  ( V ,  7 Z,  X.u  □  77. ri)  G  Decompose{V ,  7 Z,  X.u  □  A.r),  thus  completing  the  proof  in  this 
case. 

Case  3:  77  G  Tp»A[A?’]  is  generated  by  A.r  4—  77.ri.r2  G  V"  A  3Z.  Z  G  Tp//A[-B-ri]  A  77  G 
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T-ptt  [Z.r2].  Fix  such  a  Z.  Since  A.r  G  Q-jz  it  follows  that  A.r  G-  B.r\.r2  G  P.  Thus  there  exists 
(P',7 Z',X.u  □  A'.r')  G  Decompose(V,lZ,X.u  □  A.r)  in  which  P'  =  P  U  {A! .r'  G-  -B.r1.r2}  and 
TZ'  =  (Cfo  U  {A'.r'},  <S-&  U  {A'.r'}).  Since  P"  is  reachable  from  V  under  TZ,  it  is  easy  to  check  that  V'"  = 
V"  A  A'.r'  E  is  reachable  from  V'  under  7 Z' ,  and  that  E  G  [A'.r'J-pw.  A  simple  induction  on  i  shows  that 
for  all  principals  B\  and  B2,  and  for  all  role  names  r%,  such  that  B\  /  A'  and  r.3  /  r' ,  B2  G  Tp,,T1jB|  .rvij 
if  and  only  if  B2  G  Pp'"T*[Bi  .rsj.  From  this  we  get  E  0  \X.u\-pm,  m(B,ri,  Z)  G  Z  G  Tp'"ta,[B.ri], 
and  E  G  Tp»/ [E-^].  Since  A'.r'  G-  E.ri.r2  G  V'" ,  it  follows  that  E  G  Tp/n  [A'.r'],  giving  us 
E  G  |A'.r']-p»/  as  required. 

Case  4:  E  G  Tp"t^[A.r]  is  generated  by  A.r  G-  B.r\AC.r2  G  P"  A  Eg  Ep"ta'[P-ri]  A  Eg  Tp//^ 
[C.r2].  Since  A.r  G  it  follows  that  A.r  G-  B.r\  n  E.r^  G  V.  Thus  there  exists  (P',  1Z' ,  X.u  □  A'.?’')  G 
Decompose(V ,TZ,  X.u  □  A.r)  in  which  V'  =  P  U  {A'.r'  G-  E.ri.r2}  and  TZ'  =  U  {A'.r'},5p  U 
{A'.r'}).  Since  P"  is  reachable  from  P  under  P.  it  is  easy  to  check  that  P'"  =  P"  U  A! .r'  G-  E  is 
reachable  from  P'  under  TZ' ,  and  that  E  G  [A'.r'Jpw.  A  simple  induction  on  i  shows  that  for  all  principals 
Ei  and  B2,  and  for  all  role  names  r 3,  such  that  Ei  /  A'  and  r3  /  r',  E2  G  Tp// f'|E|  .r'3]  if  and  only  if 
B2  G  Tp///|l[Ei.r3].  From  this  we  get  E  0  [A.njp///,  E  G  Tp"'tw[B.ri],  and  B  G  T-pm^^C  .r2\.  Since 
A'.r'  G-  E.ri  n  C.r2  G  P'",  it  follows  that  E  G  Tp///j'a'[A'.r'],  giving  us  E  G  JA'.r'Jpm  as  required. 


Lemma  16  (Equivalence  of  using  A f  and  J\E)  (Section  4.1)  Let  n  =  (V,TZ,X.u  □  A.r)  be  any  RCPI. 
There  exists  P' and  E  G  Principals(P')  such  that  V\sn  C  P'  C  PuAA(7r),  E  G  [A.r]p/,andE  0  [X.ujp/ 
if  and  only  if  there  exists  P"  and  E  G  Principals(P")  such  that  P  |jsTC  C  P"  C  (V  U  J\T ' (tt)) ,  E  G  [A.r]p», 
and  E  0  [A'.ujp//. 

Note  that  Pf^  C  P"  C  (P  U  AA'(7t))  implies  P  Ap  P". 

Proof.  The  “if”  paid  follows  because,  by  construction,  J\f'(ir)  C  J\f(ir).  For  the  “only  if”  paid,  suppose  we 
are  given  any  policy  P'  satisfying  the  conditions  stated  in  the  lemma.  We  show  that  P"  exists  satisfying  the 
required  conditions.  We  begin  by  constructing  P  from  P'  such  that: 

1.  EGlAr^andE^X^; 

2.  P  contains  no  statements  of  the  form  E.ri  < — e  such  that  E.ri  G  NoLinkedDefs(P)  A-< — E  ^V\sn\ 

3.  P  contains  no  statements  of  the  form  A  < — EsuchthatE  G  NoLinkedPrinc(P)  and  A-^ — E  &V\sn- 

The  P  we  construct  may  not  satisfy  P  C  (P  U  N'(n))  because  the  construction  may  add  principals  not 
occurring  in  Principals(P)  U  NewPrinc(p).  In  the  second  paid  of  the  proof,  we  will  show  how  to  obtain  P" 
from  P  so  that  the  size  of  (Principals(P')  —  Principals(P))  is  less  than  or  equal  to  the  size  of  NewPrinc(p). 
The  principals  in  the  former  set  can  then  be  replaced  by  principals  in  NewPrinc(7r)  according  to  any  injective 
mapping  to  obtain  the  P'  required. 

As  just  mentioned  the  construction  of  P  from  P'  introduces  new  principals  not  occurring  in 
Principals(P)  U  NewPrinc(7r).  In  the  construction  below  we  use  H  to  represent  these  new  principals; 
it  is  important  to  understand  that  as  we  consider  each  E  G  Principals(P),  the  new  principal  denoted  by  H 
is  different  for  each  different  principal  E. 

The  construction  of  P  from  P'  proceeds  as  follows.  For  each  E  G  Principals(P)  and  each 
ri  G  Names(P),  if  E.ri  £  NoLinkedDefs(P),  we  select  a  new  principal  H  not  occurring  in  TZ,  P, 
P',  or  in  the  partially  constructed  P,  and  modify  P  by  performing  the  following  three  steps.  First,  if 
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F:r\  €  NoLinkedDefs(T’)  and  F.r\  < —  e  €  V ,  add  H.r\  < —  e  to  V.  If  -F.ri  < —  e  0  U ,  additionally 
remove  F.ri  « —  e  from  'P.  This  accomplishes  requirement  (1)  above.  Second,  for  each  statement  of  the 
form  A« — F  G  V ,  add  — H.  If  F  G  NoLinkedPrinc(P)  and  X< — F  0  V\sn,  also  remove  At — F. 
This  accomplishes  requirement  (2)  above.  Third,  for  each  statement  A  < —  e  such  that  F:r\  occurs  in  e,  add 
A  i —  e'  in  which  e'  is  obtained  from  e  by  replacing  F.r\  by  H.r This  step  is  required  to  ensure  that  each 
role  other  than  the  F.r\  and  H.r\  considered  above  maintain  the  same  role  memberships  in  V  as  they  do  in 
V' ,  except  that  if  they  contain  F  under  V' ,  they  contain  H  under  V  and  may  or  may  not  include  F.  We  next 
clarify  this  point. 

Intuitively,  in  V,  each  new  role  H.r\  and  new  principal  H  function  exactly  as  the  corresponding  F.r\ 
and  F  do  in  V' .  This  can  be  made  precise  by  proving  that  the  role  memberships  obtained  arc  identical  for 
V'  and  V,  with  the  following  three  exceptions.  (/)  For  the  roles  and  principals  F:v\  and  F  considered  above, 
every  role  that  contains  F  in  the  semantics  induced  by  V'  contains  H  and  may  or  may  not  contain  F  in 
the  semantics  induced  by  V.  (ii)  Every  role  F.r\  for  which  H  ,r\  was  introduced,  \H .r\\-p  is  the  same  as 
If/7//'!  ]-pc  except  that  if  the  latter  contains  F,  the  former  contains  H  and  may  or  may  not  contain  F,  and  (Hi) 
V  may  or  may  not  contains  statements  defining  F:r\ .  This  can  be  shown  by  a  straightforward  induction  on 
the  fixpoint  calculation.  Note  that  because  we  have  removed  no  statements  in  V\sn  and  have  added  only 
statements  defining  new  principals  not  occurring  in  Qn,  we  have  V  A-p  V. 

Having  constructed  V,  we  now  show  how  to  eliminate  redundant  new  principals  so  that  the  new  princi¬ 
pals  in  V"  can  be  mapped  injectively  into  principals  in  Principals('P)  U  NewPrinc(7r).  Because  this  mapping 
is  so  straightforward,  we  suppress  the  details  of  it  in  the  following. 

Construction  of  V"  such  that  V\sn  C  V"  C  (V  U  J\T'(ir)),  E  G  [ArJ-p//,  and  E  0  [A.n]p//  follows 
by  the  same  argument  used  by  Li  el  al.  in  [21]  in  the  proof  of  their  Theorem  4.11.  In  that  argument,  an 
equivalence  relation  =  over  principals  is  introduced.  Principals  in  V  are  equivalent  only  to  themselves, 
while  new  principals  are  equivalent  if  they  are  members  of  the  same  subset  of  SigRoles(7r).  It  is  then  shown 
that  each  member  of  the  equivalence  classes  induced  by  =  can  be  replaced  by  a  single  representative  of  the 
equivalence  class.  (It  is  assumed  that  the  representative  of  the  equivalence  class  containing  E  is  E  itself.) 
Note  that  this  transformation  does  not  remove  any  statement  in  V  \sR  ■  The  proof  of  Li  et  al.  shows  that  from 
E  G  [A?’],p  and  E  0  it  follows  that  that  E  G  [Ar]p»  and  E  0  [X.ujp//. 

The  important  point  for  us  here  is  that  this  construction  of  V"  does  not  reintroduce  any  statements  of 
the  form  removed  from  V  in  the  construction  of  V.  This  holds  because  the  statements  removed  during 
the  construction  of  V  define  roles  owned  by  principals  in  V ,  while  the  representatives  of  the  non-singleton 
equivalence  classes  do  not  occur  in  V.  Assuming  the  injective  mapping  of  principals  in  V"  to  principals 
in  Principals('P)  U  NewPrinc(7r)  has  already  been  applied  we  now  have  V\sn  C  V"  C  (V  U 
E  G  JArJ-p//,  and  F  0  f  ATv/J-p//,  as  required  to  complete  the  proof.  I 
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